Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rdwREyLU2K.exe

Overview

General Information

Sample Name:rdwREyLU2K.exe
Analysis ID:715064
MD5:25d6c4747284bf8489b1faa56a1ddd42
SHA1:49112625189085cdde41b13809efa60d3d26fc5a
SHA256:17589e726e9a629be05b4a39848c3a399549b646c38bbe9ac4c301a261dacc8f
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • rdwREyLU2K.exe (PID: 4240 cmdline: C:\Users\user\Desktop\rdwREyLU2K.exe MD5: 25D6C4747284BF8489B1FAA56A1DDD42)
    • rdwREyLU2K.exe (PID: 4844 cmdline: C:\Users\user\Desktop\rdwREyLU2K.exe MD5: 25D6C4747284BF8489B1FAA56A1DDD42)
    • rdwREyLU2K.exe (PID: 5436 cmdline: C:\Users\user\Desktop\rdwREyLU2K.exe MD5: 25D6C4747284BF8489B1FAA56A1DDD42)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "smtp.yandex.com", "Username": "viorel5000@yandex.ru", "Password": "YAWALESS123@@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x2feda:$a13: get_DnsResolver
      • 0x2e689:$a20: get_LastAccessed
      • 0x3086c:$a27: set_InternalServerPort
      • 0x30b89:$a30: set_GuidMasterKey
      • 0x2e790:$a33: get_Clipboard
      • 0x2e79e:$a34: get_Keyboard
      • 0x2fb10:$a35: get_ShiftKeyDown
      • 0x2fb21:$a36: get_AltKeyDown
      • 0x2e7ab:$a37: get_Password
      • 0x2f2c0:$a38: get_PasswordHash
      • 0x302d7:$a39: get_DefaultCredentials
      00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.0.rdwREyLU2K.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.0.rdwREyLU2K.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              2.0.rdwREyLU2K.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x329ce:$s10: logins
              • 0x32420:$s11: credential
              • 0x2e990:$g1: get_Clipboard
              • 0x2e99e:$g2: get_Keyboard
              • 0x2e9ab:$g3: get_Password
              • 0x2fd00:$g4: get_CtrlKeyDown
              • 0x2fd10:$g5: get_ShiftKeyDown
              • 0x2fd21:$g6: get_AltKeyDown
              2.0.rdwREyLU2K.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x300da:$a13: get_DnsResolver
              • 0x2e889:$a20: get_LastAccessed
              • 0x30a6c:$a27: set_InternalServerPort
              • 0x30d89:$a30: set_GuidMasterKey
              • 0x2e990:$a33: get_Clipboard
              • 0x2e99e:$a34: get_Keyboard
              • 0x2fd10:$a35: get_ShiftKeyDown
              • 0x2fd21:$a36: get_AltKeyDown
              • 0x2e9ab:$a37: get_Password
              • 0x2f4c0:$a38: get_PasswordHash
              • 0x304d7:$a39: get_DefaultCredentials
              0.2.rdwREyLU2K.exe.3db5fb8.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: rdwREyLU2K.exeReversingLabs: Detection: 29%
                Source: rdwREyLU2K.exeVirustotal: Detection: 29%Perma Link
                Machine Learning detection for sample
                Source: rdwREyLU2K.exeJoe Sandbox ML: detected
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "smtp.yandex.com", "Username": "viorel5000@yandex.ru", "Password": "YAWALESS123@@"}
                Source: rdwREyLU2K.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: rdwREyLU2K.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                Source: global trafficTCP traffic: 192.168.2.5:49701 -> 77.88.21.158:587
                Source: global trafficTCP traffic: 192.168.2.5:49701 -> 77.88.21.158:587
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DRHKlr5ijAqmEIU.n
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567534977.00000000030BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DRHKlr5ijAqmEIU.net
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DtWdBM.com
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globaHL
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
                Source: rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.570947240.00000000062A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.570947240.00000000062A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globaQMx
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
                Source: rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.yandex.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000000.00000003.304752494.000000000106C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%smtp.yandex.comviorel5000
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/reposit
                Source: rdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.571119790.00000000062C6000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.570947240.00000000062A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: smtp.yandex.com

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\rdwREyLU2K.exeJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC58A4998u002d7433u002d494Bu002dB2D2u002dA8FEAD990F31u007d/D5CBB07Eu002d511Du002d490Eu002dB2A4u002d9220D0937D05.csLarge array initialization: .cctor: array initializer size 10527
                Source: rdwREyLU2K.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_054C6DD10_2_054C6DD1
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_054C6DE00_2_054C6DE0
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_054C69680_2_054C6968
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_054C69780_2_054C6978
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_02BEF3402_2_02BEF340
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_02BEF6882_2_02BEF688
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_02BE63E32_2_02BE63E3
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_02BEB0182_2_02BEB018
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_059FC5E82_2_059FC5E8
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_059F1FF82_2_059F1FF8
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_059F00402_2_059F0040
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EB7E882_2_05EB7E88
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EBD2E82_2_05EBD2E8
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EB1D282_2_05EB1D28
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: String function: 059F5990 appears 55 times
                Source: rdwREyLU2K.exe, 00000000.00000002.338876960.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.338876960.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.348203894.0000000007520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed88178ad-7157-425e-ae97-b775a499568e.exe4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.341000791.00000000039C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.341488518.0000000003A80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed88178ad-7157-425e-ae97-b775a499568e.exe4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000000.295359703.0000000000582000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVrBY.exeL vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.348095716.0000000007340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000000.00000002.347978184.00000000072F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000002.00000002.562932468.0000000000938000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exe, 00000002.00000000.335922021.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed88178ad-7157-425e-ae97-b775a499568e.exe4 vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exeBinary or memory string: OriginalFilenameVrBY.exeL vs rdwREyLU2K.exe
                Source: rdwREyLU2K.exeReversingLabs: Detection: 29%
                Source: rdwREyLU2K.exeVirustotal: Detection: 29%
                Source: rdwREyLU2K.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exe
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exeJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exeJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rdwREyLU2K.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                Source: rdwREyLU2K.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 2.0.rdwREyLU2K.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: rdwREyLU2K.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: rdwREyLU2K.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: rdwREyLU2K.exe, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.rdwREyLU2K.exe.580000.0.unpack, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 0_2_04F9F618 pushad ; retf 0_2_04F9F619
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EBA582 push FFFFFF8Dh; retf 2_2_05EBA584
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAMENSYSTEM\CONTROLSET001\SERVICES\DISK\ENUM
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\rdwREyLU2K.exe TID: 1004Thread sleep time: -41226s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exe TID: 1888Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exe TID: 6064Thread sleep count: 9570 > 30Jump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWindow / User API: threadDelayed 9570Jump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeThread delayed: delay time: 41226Jump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II2VM Additions S3 Trio32/64
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareFSELECT * FROM Win32_VideoController
                Source: rdwREyLU2K.exe, 00000002.00000002.570947240.00000000062A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUDSOFTWARE\VMware, Inc.\VMware Tools
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARETSOFTWARE\Oracle\VirtualBox Guest Additions
                Source: rdwREyLU2K.exe, 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\6HARDWARE\Description\System VideoBiosVersion
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeCode function: 2_2_05EBE998 LdrInitializeThunk,2_2_05EBE998
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeMemory written: C:\Users\user\Desktop\rdwREyLU2K.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exeJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeProcess created: C:\Users\user\Desktop\rdwREyLU2K.exe C:\Users\user\Desktop\rdwREyLU2K.exeJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Users\user\Desktop\rdwREyLU2K.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Users\user\Desktop\rdwREyLU2K.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\rdwREyLU2K.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 2.0.rdwREyLU2K.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3db5fb8.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3dea5d8.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3dea5d8.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3db5fb8.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rdwREyLU2K.exe.3d7fb98.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 4240, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rdwREyLU2K.exe PID: 5436, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception111
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		11
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol11
                Input Capture                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		1
                Credentials in Registry                		131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model2
                Data from Local System                		Scheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSH1
                Clipboard Data                		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Obfuscated Files or Information                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rdwREyLU2K.exe29%ReversingLabs
                rdwREyLU2K.exe30%VirustotalBrowse
                rdwREyLU2K.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                2.0.rdwREyLU2K.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://DtWdBM.com0%VirustotalBrowse
                http://DRHKlr5ijAqmEIU.n0%Avira URL Cloudsafe
                http://secure.globaQMx0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                http://DtWdBM.com0%Avira URL Cloudsafe
                https://api.ipify.org%smtp.yandex.comviorel50000%Avira URL Cloudsafe
                http://crl.globaHL0%Avira URL Cloudsafe
                http://DRHKlr5ijAqmEIU.net0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                smtp.yandex.ru
                		77.88.21.158
                		truefalse
                  		high
                  smtp.yandex.com
                  		unknown
                  		unknownfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTherdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://DtWdBM.comrdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwrdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://DRHKlr5ijAqmEIU.nrdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://secure.globaQMxrdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.org%smtp.yandex.comviorel5000rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.tiro.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000000.00000003.304752494.000000000106C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://smtp.yandex.comrdwREyLU2K.exe, 00000002.00000002.567418805.0000000003094000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.carterandcone.comlrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTherdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://DynDns.comDynDNSnamejidpasswordPsi/PsirdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaserdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8rdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fonts.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaserdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comrdwREyLU2K.exe, 00000000.00000002.346106526.0000000006AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.globaHLrdwREyLU2K.exe, 00000002.00000002.563843813.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.ipify.org%rdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://DRHKlr5ijAqmEIU.netrdwREyLU2K.exe, 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, rdwREyLU2K.exe, 00000002.00000002.567534977.00000000030BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          77.88.21.158
                                          		smtp.yandex.ruRussian Federation
                                          		13238YANDEXRUfalse

                                          General Information

                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:715064
                                          Start date and time:2022-10-03 15:47:33 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 43s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:rdwREyLU2K.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:6
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@5/1@2/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 45
                                          • Number of non-executed functions: 4
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:48:39API Interceptor716x Sleep call for process: rdwREyLU2K.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          77.88.21.158PO#4802567411.exeGet hashmaliciousBrowse
                                            Inv...PYM...00000000PDF.vbsGet hashmaliciousBrowse
                                              EbxZnWRh46.exeGet hashmaliciousBrowse
                                                SIfMYHJlUY.exeGet hashmaliciousBrowse
                                                  736Av81NTH.exeGet hashmaliciousBrowse
                                                    DATA SHEET.exeGet hashmaliciousBrowse
                                                      DHL Delivery Invoice.exeGet hashmaliciousBrowse
                                                        8R63xXEW5q.exeGet hashmaliciousBrowse
                                                          7aM2ouU1yN.exeGet hashmaliciousBrowse
                                                            271_2022_Cetrtapot.vbsGet hashmaliciousBrowse
                                                              xHPTGsokvq.exeGet hashmaliciousBrowse
                                                                8crUbKVkd7.exeGet hashmaliciousBrowse
                                                                  cNcML3CHZm.exeGet hashmaliciousBrowse
                                                                    6jelJGPLkx.exeGet hashmaliciousBrowse
                                                                      6jelJGPLkx.exeGet hashmaliciousBrowse
                                                                        EHYrEXZHsb.exeGet hashmaliciousBrowse
                                                                          INV 2209-046-SHYE YNG.exeGet hashmaliciousBrowse
                                                                            qIlCIkQFV7.exeGet hashmaliciousBrowse
                                                                              PZcfMUXY9x.exeGet hashmaliciousBrowse
                                                                                PO22092022159.docGet hashmaliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  smtp.yandex.ruPO#4802567411.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  Inv...PYM...00000000PDF.vbsGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  DATA SHEET.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  EbxZnWRh46.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  SIfMYHJlUY.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  736Av81NTH.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  DATA SHEET.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  DHL Delivery Invoice.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  8R63xXEW5q.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  7aM2ouU1yN.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  271_2022_Cetrtapot.vbsGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  xHPTGsokvq.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  8crUbKVkd7.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  cNcML3CHZm.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  6jelJGPLkx.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  6jelJGPLkx.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  EHYrEXZHsb.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  INV 2209-046-SHYE YNG.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  qIlCIkQFV7.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  PZcfMUXY9x.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  YANDEXRUPO#4802567411.exeGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  VkDJ.exeGet hashmaliciousBrowse
                                                                                  • 5.45.205.243
                                                                                  Inv...PYM...00000000PDF.vbsGet hashmaliciousBrowse
                                                                                  • 77.88.21.158
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50
                                                                                  VkDJ.exeGet hashmaliciousBrowse
                                                                                  • 5.45.205.245
                                                                                  VkDJ.exeGet hashmaliciousBrowse
                                                                                  • 5.45.205.245
                                                                                  file.exeGet hashmaliciousBrowse
                                                                                  • 87.250.250.50

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rdwREyLU2K.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\rdwREyLU2K.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1308
                                                                                  Entropy (8bit):5.345811588615766
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                                  Malicious:true
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):6.564911842144199
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:rdwREyLU2K.exe
                                                                                  File size:909824
                                                                                  MD5:25d6c4747284bf8489b1faa56a1ddd42
                                                                                  SHA1:49112625189085cdde41b13809efa60d3d26fc5a
                                                                                  SHA256:17589e726e9a629be05b4a39848c3a399549b646c38bbe9ac4c301a261dacc8f
                                                                                  SHA512:62c9f541b7db2be928de9678b050efe98769b573fbf4855ec343a78527618c4c63c7a0c3bd1fda26d9232dc27fd47bf254d6c4984f86d2397d4266c19f6216f9
                                                                                  SSDEEP:12288:zK4HTNfVv2SM15g7MW6ZWPVSmb33VqYs/+exRtOM7LXCtj:fv24MlQPPVqd/+e9OM+
                                                                                  TLSH:1D15D02203E69B0AC0665374CDD3C3F0AFE84E61E271C2874FE9BD6BB57B1A9B641145
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@.:c..............0.................. ........@.. .......................@............@................................

                                                                                  File Icon

                                                                                  Icon Hash:00828e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4df51a
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x633AC040 [Mon Oct 3 10:58:08 2022 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdf4c80x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x608.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000xdd5200xdd600False0.6839907714568041data6.57261861619457IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0xe00000x6080x800False0.33154296875data3.440909406394536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0xe20000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_VERSION0xe00900x378data
                                                                                  RT_MANIFEST0xe04180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 3, 2022 15:49:06.042037010 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.098341942 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.098545074 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.383357048 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.383822918 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.440113068 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.440150023 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.440598965 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.499119997 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.552879095 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.612731934 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.612771034 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.612795115 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.612816095 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.612936974 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.613003016 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.640078068 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.698756933 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.744678974 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.767220020 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.823750973 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.839813948 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.896342993 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.897025108 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:06.971704960 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.972553968 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:07.034334898 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:07.035088062 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:07.103673935 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:07.104135990 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:07.160567999 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:07.162266970 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:07.162421942 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:07.163043022 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:07.163139105 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:49:07.218589067 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:07.219239950 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:07.598264933 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:49:07.651074886 CEST49701587192.168.2.577.88.21.158
                                                                                  Oct 3, 2022 15:50:22.598304033 CEST5874970177.88.21.158192.168.2.5
                                                                                  Oct 3, 2022 15:50:22.598372936 CEST49701587192.168.2.577.88.21.158

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 3, 2022 15:49:05.970387936 CEST6084153192.168.2.58.8.8.8
                                                                                  Oct 3, 2022 15:49:05.989950895 CEST53608418.8.8.8192.168.2.5
                                                                                  Oct 3, 2022 15:49:06.006103992 CEST6189353192.168.2.58.8.8.8
                                                                                  Oct 3, 2022 15:49:06.023452997 CEST53618938.8.8.8192.168.2.5

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Oct 3, 2022 15:49:05.970387936 CEST192.168.2.58.8.8.80x8d8Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)false
                                                                                  Oct 3, 2022 15:49:06.006103992 CEST192.168.2.58.8.8.80x1e69Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Oct 3, 2022 15:49:05.989950895 CEST8.8.8.8192.168.2.50x8d8No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)false
                                                                                  Oct 3, 2022 15:49:05.989950895 CEST8.8.8.8192.168.2.50x8d8No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false
                                                                                  Oct 3, 2022 15:49:06.023452997 CEST8.8.8.8192.168.2.50x1e69No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)false
                                                                                  Oct 3, 2022 15:49:06.023452997 CEST8.8.8.8192.168.2.50x1e69No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false

                                                                                  SMTP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                  Oct 3, 2022 15:49:06.383357048 CEST5874970177.88.21.158192.168.2.5220 iva7-38cb93e4c9b7.qloud-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1664804946-PxPyYXd6eg-n6hK4HMm
                                                                                  Oct 3, 2022 15:49:06.383822918 CEST49701587192.168.2.577.88.21.158EHLO 124406
                                                                                  Oct 3, 2022 15:49:06.440150023 CEST5874970177.88.21.158192.168.2.5250-iva7-38cb93e4c9b7.qloud-c.yandex.net
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-SIZE 53477376
                                                                                  250-STARTTLS
                                                                                  250-AUTH LOGIN PLAIN XOAUTH2
                                                                                  250-DSN
                                                                                  250 ENHANCEDSTATUSCODES
                                                                                  Oct 3, 2022 15:49:06.440598965 CEST49701587192.168.2.577.88.21.158STARTTLS
                                                                                  Oct 3, 2022 15:49:06.499119997 CEST5874970177.88.21.158192.168.2.5220 Go ahead

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:15:48:26
                                                                                  Start date:03/10/2022
                                                                                  Path:C:\Users\user\Desktop\rdwREyLU2K.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\Desktop\rdwREyLU2K.exe
                                                                                  Imagebase:0x580000
                                                                                  File size:909824 bytes
                                                                                  MD5 hash:25D6C4747284BF8489B1FAA56A1DDD42
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.343609881.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.339258333.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:15:48:45
                                                                                  Start date:03/10/2022
                                                                                  Path:C:\Users\user\Desktop\rdwREyLU2K.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Users\user\Desktop\rdwREyLU2K.exe
                                                                                  Imagebase:0xa0000
                                                                                  File size:909824 bytes
                                                                                  MD5 hash:25D6C4747284BF8489B1FAA56A1DDD42
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:15:48:45
                                                                                  Start date:03/10/2022
                                                                                  Path:C:\Users\user\Desktop\rdwREyLU2K.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\Desktop\rdwREyLU2K.exe
                                                                                  Imagebase:0x4a0000
                                                                                  File size:909824 bytes
                                                                                  MD5 hash:25D6C4747284BF8489B1FAA56A1DDD42
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000000.335755215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.564718975.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:11.9%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:52
                                                                                    Total number of Limit Nodes:2
                                                                                    execution_graph 16697 4f909d8 16698 4f909bd 16697->16698 16699 4f909e2 16697->16699 16706 4f91688 16698->16706 16712 4f91678 16698->16712 16700 4f90a47 SetWindowLongW 16699->16700 16701 4f909e6 16699->16701 16702 4f90a84 16700->16702 16707 4f916b5 16706->16707 16708 4f916e7 16707->16708 16718 4f918dc 16707->16718 16724 4f91800 16707->16724 16729 4f91810 16707->16729 16713 4f9167d 16712->16713 16714 4f909cf 16713->16714 16715 4f918dc 2 API calls 16713->16715 16716 4f91810 2 API calls 16713->16716 16717 4f91800 2 API calls 16713->16717 16715->16714 16716->16714 16717->16714 16719 4f9189a 16718->16719 16720 4f918ea 16718->16720 16734 4f918c8 16719->16734 16737 4f918b8 16719->16737 16721 4f918b0 16721->16708 16726 4f91810 16724->16726 16725 4f918b0 16725->16708 16727 4f918c8 2 API calls 16726->16727 16728 4f918b8 2 API calls 16726->16728 16727->16725 16728->16725 16731 4f91824 16729->16731 16730 4f918b0 16730->16708 16732 4f918c8 2 API calls 16731->16732 16733 4f918b8 2 API calls 16731->16733 16732->16730 16733->16730 16735 4f918d9 16734->16735 16741 4f92d61 16734->16741 16735->16721 16738 4f918c8 16737->16738 16739 4f92d61 2 API calls 16738->16739 16740 4f918d9 16738->16740 16739->16740 16740->16721 16745 4f92d90 16741->16745 16749 4f92d80 16741->16749 16742 4f92d7a 16742->16735 16746 4f92dd2 16745->16746 16748 4f92dd9 16745->16748 16747 4f92e2a CallWindowProcW 16746->16747 16746->16748 16747->16748 16748->16742 16750 4f92d90 16749->16750 16751 4f92e2a CallWindowProcW 16750->16751 16752 4f92dd9 16750->16752 16751->16752 16752->16742 16753 4f90780 16757 4f907d0 16753->16757 16761 4f907c6 16753->16761 16758 4f90838 CreateWindowExW 16757->16758 16760 4f908f4 16758->16760 16762 4f90838 CreateWindowExW 16761->16762 16764 4f908f4 16762->16764

                                                                                    Executed Functions

                                                                                    Function 04F907C6 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2360 4f907c6-4f90836 2361 4f90838-4f9083e 2360->2361 2362 4f90841-4f90848 2360->2362 2361->2362 2363 4f9084a-4f90850 2362->2363 2364 4f90853-4f908f2 CreateWindowExW 2362->2364 2363->2364 2366 4f908fb-4f90933 2364->2366 2367 4f908f4-4f908fa 2364->2367 2371 4f90940 2366->2371 2372 4f90935-4f90938 2366->2372 2367->2366 2373 4f90941 2371->2373 2372->2371 2373->2373
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F908E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.344963599.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f90000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: d7d013aad49dab7286c1f8eda8e33f58fea2e3104ed4e13c0fca23266797d0ec
                                                                                    • Instruction ID: 53cdad262dcb5d00b0e00034ac2c9a24cbfe1e06abcad82310ae2722dbe7a596
                                                                                    • Opcode Fuzzy Hash: d7d013aad49dab7286c1f8eda8e33f58fea2e3104ed4e13c0fca23266797d0ec
                                                                                    • Instruction Fuzzy Hash: 3D51A0B1D003499FEF14CF99C984ADEBBB5BF48314F64852AE419AB210DB74A846CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04F907D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2374 4f907d0-4f90836 2375 4f90838-4f9083e 2374->2375 2376 4f90841-4f90848 2374->2376 2375->2376 2377 4f9084a-4f90850 2376->2377 2378 4f90853-4f908f2 CreateWindowExW 2376->2378 2377->2378 2380 4f908fb-4f90933 2378->2380 2381 4f908f4-4f908fa 2378->2381 2385 4f90940 2380->2385 2386 4f90935-4f90938 2380->2386 2381->2380 2387 4f90941 2385->2387 2386->2385 2387->2387
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F908E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.344963599.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f90000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 6789ee449c8bf368b6215b2607bdfb07353c832c6ba2eb3ff90b9a42c25e6df8
                                                                                    • Instruction ID: f954967a8b25f737bb49b1f5e56e4d9404813f0df07d19b639de6312b311ebf4
                                                                                    • Opcode Fuzzy Hash: 6789ee449c8bf368b6215b2607bdfb07353c832c6ba2eb3ff90b9a42c25e6df8
                                                                                    • Instruction Fuzzy Hash: D841B1B1D003499FEF14CF99C984ADEBBF5BF48314F64852AE819AB210DB74A845CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04F92D90 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2388 4f92d90-4f92dcc 2389 4f92e7c-4f92e9c 2388->2389 2390 4f92dd2-4f92dd7 2388->2390 2396 4f92e9f-4f92eac 2389->2396 2391 4f92dd9-4f92e10 2390->2391 2392 4f92e2a-4f92e62 CallWindowProcW 2390->2392 2399 4f92e19-4f92e28 2391->2399 2400 4f92e12-4f92e18 2391->2400 2394 4f92e6b-4f92e7a 2392->2394 2395 4f92e64-4f92e6a 2392->2395 2394->2396 2395->2394 2399->2396 2400->2399
                                                                                    APIs
                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F92E51
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.344963599.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f90000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: f43ac880a53682da15a69da5d23c86d9603d61cc33bd433b66555d2a520ff3b3
                                                                                    • Instruction ID: 4eff4ba03ac9c3349e56b30a6c1f512540325c7a868e4f79c48a3ae9b5d8b0a8
                                                                                    • Opcode Fuzzy Hash: f43ac880a53682da15a69da5d23c86d9603d61cc33bd433b66555d2a520ff3b3
                                                                                    • Instruction Fuzzy Hash: 884108B9A00305DFDB14DF99C488A9ABBF5FB88314F158899D519AB321D774EC42CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04F909D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2402 4f909d8-4f909e0 2403 4f909bd-4f909c8 2402->2403 2404 4f909e2-4f909e4 2402->2404 2413 4f909ca call 4f91688 2403->2413 2414 4f909ca call 4f91678 2403->2414 2405 4f90a47-4f90a82 SetWindowLongW 2404->2405 2406 4f909e6-4f90a01 2404->2406 2408 4f90a8b-4f90a9f 2405->2408 2409 4f90a84-4f90a8a 2405->2409 2409->2408 2410 4f909cf-4f909d4 2413->2410 2414->2410
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,?,?), ref: 04F90A75
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.344963599.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f90000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1378638983-0
                                                                                    • Opcode ID: 0ecf154497ad1a2dafb5b32878dfde3b681832be4300a6ff55397fbd5bfe33ef
                                                                                    • Instruction ID: e081b19a40caf84ab8bab4cfed12d2f6a14e3dde5686fe28f2dc128aa65b16ec
                                                                                    • Opcode Fuzzy Hash: 0ecf154497ad1a2dafb5b32878dfde3b681832be4300a6ff55397fbd5bfe33ef
                                                                                    • Instruction Fuzzy Hash: 7C21CD76400348DFEB01CF84D840A9ABBF5FF88324F04846AE90497222C336E955DF61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04F90A10 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2415 4f90a10-4f90a82 SetWindowLongW 2416 4f90a8b-4f90a9f 2415->2416 2417 4f90a84-4f90a8a 2415->2417 2417->2416
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,?,?), ref: 04F90A75
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.344963599.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f90000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1378638983-0
                                                                                    • Opcode ID: 9a549a599ae3666e9da0425d50170da0a3ce5824c3201e67ea0e81ca4d0b636d
                                                                                    • Instruction ID: 00bd6c2639afb7f93e6329b09debe4d317530e7bbb799b4411d54d4312262e94
                                                                                    • Opcode Fuzzy Hash: 9a549a599ae3666e9da0425d50170da0a3ce5824c3201e67ea0e81ca4d0b636d
                                                                                    • Instruction Fuzzy Hash: 4B1106B5D002489FDB20CF99D589BDEBBF4EB48324F108919D815A7700D378A945CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04F90A18 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2419 4f90a18-4f90a82 SetWindowLongW 2420 4f90a8b-4f90a9f 2419->2420 2421 4f90a84-4f90a8a 2419->2421 2421->2420
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,?,?), ref: 04F90A75
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.344963599.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f90000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1378638983-0
                                                                                    • Opcode ID: b6db4a0ad9fe22a782e8272aa9966ddb4124b552458eab711b1cad0a74c85ee4
                                                                                    • Instruction ID: b07e530209d3d6a0ce094896beb80f709c8c2c42585c63175a74daac17bdfbfa
                                                                                    • Opcode Fuzzy Hash: b6db4a0ad9fe22a782e8272aa9966ddb4124b552458eab711b1cad0a74c85ee4
                                                                                    • Instruction Fuzzy Hash: A711D3B59002499FDB20CF99D585BDEBBF8EB48324F10891AD815A7700C374A945CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 054CE8A8 Relevance: .1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.345886473.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_54c0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e068d0b1d6602b1ceae01f0df7ca433be14e767703cb66234fe36ed6c2bb610c
                                                                                    • Instruction ID: 4c6e3a122817f20c147c853b83884b08a904bff9d7d12e82fecf1a689158bde2
                                                                                    • Opcode Fuzzy Hash: e068d0b1d6602b1ceae01f0df7ca433be14e767703cb66234fe36ed6c2bb610c
                                                                                    • Instruction Fuzzy Hash: 5A313C74E04258DFDB55DFA9D544AEEBBB6FF89300F0180AAD811AB350CB349946CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 054C6968 Relevance: .2, Instructions: 250COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.345886473.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_54c0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 547da162abe5039bc723c8539f80a9ba11e1baaa6e028c46d536ab31a6b0a205
                                                                                    • Instruction ID: 1e6dd312e93a4959f9401c72c6b4a5dfcba671984f2abf77686193c951fdebd1
                                                                                    • Opcode Fuzzy Hash: 547da162abe5039bc723c8539f80a9ba11e1baaa6e028c46d536ab31a6b0a205
                                                                                    • Instruction Fuzzy Hash: 7DC1B578E002188FDB54DFA8D9956DEBBB2FF89300F1080AAE409AB345DB345982DF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 054C6978 Relevance: .2, Instructions: 248COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.345886473.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_54c0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1643532405a8d50c5155680b1bcc51f0b4cc13d5c2face7ee0d07372b8f94338
                                                                                    • Instruction ID: 488395c6dfcc9b47ad57acefd7acb5e8a9fad346f92ea52f7e8cd5c0f32c59b3
                                                                                    • Opcode Fuzzy Hash: 1643532405a8d50c5155680b1bcc51f0b4cc13d5c2face7ee0d07372b8f94338
                                                                                    • Instruction Fuzzy Hash: 6CC1B578E002188FDB54DFA8D9956DEBBB2FF89300F10806AE809AB345DB345D82DF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 054C6DD1 Relevance: .1, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.345886473.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_54c0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fd6387087773cb020b08418cdbc67274701eb1b6eb5b77b520fd65f2affd8a10
                                                                                    • Instruction ID: 630d0ea8fde8901e63145b28c36419aa0ef8ec3665a6393c988b77766b625459
                                                                                    • Opcode Fuzzy Hash: fd6387087773cb020b08418cdbc67274701eb1b6eb5b77b520fd65f2affd8a10
                                                                                    • Instruction Fuzzy Hash: E4414871D05A588BDB5CCF6B9D406DAFBF3BFC9201F18C1BA980CAA255DB3106468F41
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 054C6DE0 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.345886473.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_54c0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 44382102a51314ec3b44f11073d6b87ffa270433372bb7137a6b2868ba842b4d
                                                                                    • Instruction ID: 7356b8737d387c8947ff2836b9fcbc59029bc504af718de2661c93f104163e4a
                                                                                    • Opcode Fuzzy Hash: 44382102a51314ec3b44f11073d6b87ffa270433372bb7137a6b2868ba842b4d
                                                                                    • Instruction Fuzzy Hash: 26411371D05A588BEB5CCF6B9D4079AFAF7BFC9301F14C1BA980CAA258DB3005468F51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Execution Graph

                                                                                    Execution Coverage:20.8%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0.9%
                                                                                    Total number of Nodes:340
                                                                                    Total number of Limit Nodes:5
                                                                                    execution_graph 35752 5ebe998 35753 5ebe9b7 LdrInitializeThunk 35752->35753 35755 5ebe9eb 35753->35755 35365 2beb090 35366 2beb0ae 35365->35366 35369 2beb000 35366->35369 35368 2beb0e5 35371 2becbb0 LoadLibraryA 35369->35371 35372 2becc8c 35371->35372 35373 2be0850 35374 2be085d 35373->35374 35378 59f5f71 35374->35378 35383 59f5f80 35374->35383 35375 2be086f 35379 59f5f80 35378->35379 35380 59f6290 35379->35380 35388 59f6b30 35379->35388 35419 59f6ae0 35379->35419 35380->35375 35384 59f5f92 35383->35384 35385 59f6290 35384->35385 35386 59f6b30 53 API calls 35384->35386 35387 59f6ae0 53 API calls 35384->35387 35385->35375 35386->35384 35387->35384 35389 59f6b4d 35388->35389 35451 59f7912 35388->35451 35460 59f779a 35388->35460 35469 59f799c 35388->35469 35478 59f79e1 35388->35478 35487 59f76e9 35388->35487 35496 59f7a6b 35388->35496 35505 59f7673 35388->35505 35514 59f7af5 35388->35514 35523 59f7b7f 35388->35523 35532 59f7cc6 35388->35532 35536 59f78cd 35388->35536 35545 59f7d53 35388->35545 35549 59f7855 35388->35549 35558 59f77d5 35388->35558 35567 59f7957 35388->35567 35576 59f765c 35388->35576 35585 59f775f 35388->35585 35594 59f7724 35388->35594 35603 59f7a26 35388->35603 35612 59f76ae 35388->35612 35621 59f7ab0 35388->35621 35630 59f7b3a 35388->35630 35639 59f7bbb 35388->35639 35646 59f7c3c 35388->35646 35653 59f7c00 35388->35653 35660 59f7c81 35388->35660 35667 59f7d0b 35388->35667 35671 59f7810 35388->35671 35680 59f7891 35388->35680 35389->35379 35420 59f6ae5 35419->35420 35421 59f6b4d 35420->35421 35422 59f799c 4 API calls 35420->35422 35423 59f779a 4 API calls 35420->35423 35424 59f7912 4 API calls 35420->35424 35425 59f7891 4 API calls 35420->35425 35426 59f7810 4 API calls 35420->35426 35427 59f7d0b KiUserExceptionDispatcher 35420->35427 35428 59f7c81 3 API calls 35420->35428 35429 59f7c00 3 API calls 35420->35429 35430 59f7c3c 3 API calls 35420->35430 35431 59f7bbb 3 API calls 35420->35431 35432 59f7b3a 4 API calls 35420->35432 35433 59f7ab0 4 API calls 35420->35433 35434 59f76ae 4 API calls 35420->35434 35435 59f7a26 4 API calls 35420->35435 35436 59f7724 4 API calls 35420->35436 35437 59f775f 4 API calls 35420->35437 35438 59f765c 4 API calls 35420->35438 35439 59f7957 4 API calls 35420->35439 35440 59f77d5 4 API calls 35420->35440 35441 59f7855 4 API calls 35420->35441 35442 59f7d53 KiUserExceptionDispatcher 35420->35442 35443 59f78cd 4 API calls 35420->35443 35444 59f7cc6 KiUserExceptionDispatcher 35420->35444 35445 59f7b7f 4 API calls 35420->35445 35446 59f7af5 4 API calls 35420->35446 35447 59f7673 4 API calls 35420->35447 35448 59f7a6b 4 API calls 35420->35448 35449 59f76e9 4 API calls 35420->35449 35450 59f79e1 4 API calls 35420->35450 35421->35379 35422->35421 35423->35421 35424->35421 35425->35421 35426->35421 35427->35421 35428->35421 35429->35421 35430->35421 35431->35421 35432->35421 35433->35421 35434->35421 35435->35421 35436->35421 35437->35421 35438->35421 35439->35421 35440->35421 35441->35421 35442->35421 35443->35421 35444->35421 35445->35421 35446->35421 35447->35421 35448->35421 35449->35421 35450->35421 35452 59f7923 35451->35452 35453 59f7b9a KiUserExceptionDispatcher 35452->35453 35454 59f7bb9 35453->35454 35689 5ebf5e8 35454->35689 35694 5ebf538 35454->35694 35455 59f7cab 35456 59f7d7a KiUserExceptionDispatcher 35455->35456 35457 59f7d96 35456->35457 35457->35389 35461 59f77ab 35460->35461 35462 59f7b9a KiUserExceptionDispatcher 35461->35462 35463 59f7bb9 35462->35463 35467 5ebf5e8 2 API calls 35463->35467 35468 5ebf538 2 API calls 35463->35468 35464 59f7cab 35465 59f7d7a KiUserExceptionDispatcher 35464->35465 35466 59f7d96 35465->35466 35466->35389 35467->35464 35468->35464 35470 59f79ad 35469->35470 35471 59f7b9a KiUserExceptionDispatcher 35470->35471 35472 59f7bb9 35471->35472 35476 5ebf5e8 2 API calls 35472->35476 35477 5ebf538 2 API calls 35472->35477 35473 59f7cab 35474 59f7d7a KiUserExceptionDispatcher 35473->35474 35475 59f7d96 35474->35475 35475->35389 35476->35473 35477->35473 35479 59f79f2 35478->35479 35480 59f7b9a KiUserExceptionDispatcher 35479->35480 35481 59f7bb9 35480->35481 35485 5ebf5e8 2 API calls 35481->35485 35486 5ebf538 2 API calls 35481->35486 35482 59f7cab 35483 59f7d7a KiUserExceptionDispatcher 35482->35483 35484 59f7d96 35483->35484 35484->35389 35485->35482 35486->35482 35488 59f76fa 35487->35488 35489 59f7b9a KiUserExceptionDispatcher 35488->35489 35490 59f7bb9 35489->35490 35494 5ebf5e8 2 API calls 35490->35494 35495 5ebf538 2 API calls 35490->35495 35491 59f7cab 35492 59f7d7a KiUserExceptionDispatcher 35491->35492 35493 59f7d96 35492->35493 35493->35389 35494->35491 35495->35491 35497 59f7a7c 35496->35497 35498 59f7b9a KiUserExceptionDispatcher 35497->35498 35499 59f7bb9 35498->35499 35503 5ebf5e8 2 API calls 35499->35503 35504 5ebf538 2 API calls 35499->35504 35500 59f7cab 35501 59f7d7a KiUserExceptionDispatcher 35500->35501 35502 59f7d96 35501->35502 35502->35389 35503->35500 35504->35500 35506 59f7684 35505->35506 35507 59f7b9a KiUserExceptionDispatcher 35506->35507 35508 59f7bb9 35507->35508 35512 5ebf5e8 2 API calls 35508->35512 35513 5ebf538 2 API calls 35508->35513 35509 59f7cab 35510 59f7d7a KiUserExceptionDispatcher 35509->35510 35511 59f7d96 35510->35511 35511->35389 35512->35509 35513->35509 35515 59f7b06 35514->35515 35516 59f7b9a KiUserExceptionDispatcher 35515->35516 35517 59f7bb9 35516->35517 35521 5ebf5e8 2 API calls 35517->35521 35522 5ebf538 2 API calls 35517->35522 35518 59f7cab 35519 59f7d7a KiUserExceptionDispatcher 35518->35519 35520 59f7d96 35519->35520 35520->35389 35521->35518 35522->35518 35524 59f7b90 35523->35524 35525 59f7b9a KiUserExceptionDispatcher 35524->35525 35526 59f7bb9 35525->35526 35530 5ebf5e8 2 API calls 35526->35530 35531 5ebf538 2 API calls 35526->35531 35527 59f7cab 35528 59f7d7a KiUserExceptionDispatcher 35527->35528 35529 59f7d96 35528->35529 35529->35389 35530->35527 35531->35527 35533 59f7cd7 35532->35533 35534 59f7d7a KiUserExceptionDispatcher 35533->35534 35535 59f7d96 35534->35535 35535->35389 35537 59f78de 35536->35537 35538 59f7b9a KiUserExceptionDispatcher 35537->35538 35539 59f7bb9 35538->35539 35543 5ebf5e8 2 API calls 35539->35543 35544 5ebf538 2 API calls 35539->35544 35540 59f7cab 35541 59f7d7a KiUserExceptionDispatcher 35540->35541 35542 59f7d96 35541->35542 35542->35389 35543->35540 35544->35540 35546 59f7d64 35545->35546 35547 59f7d7a KiUserExceptionDispatcher 35546->35547 35548 59f7d96 35547->35548 35548->35389 35550 59f7866 35549->35550 35551 59f7b9a KiUserExceptionDispatcher 35550->35551 35552 59f7bb9 35551->35552 35556 5ebf5e8 2 API calls 35552->35556 35557 5ebf538 2 API calls 35552->35557 35553 59f7cab 35554 59f7d7a KiUserExceptionDispatcher 35553->35554 35555 59f7d96 35554->35555 35555->35389 35556->35553 35557->35553 35559 59f77e6 35558->35559 35560 59f7b9a KiUserExceptionDispatcher 35559->35560 35561 59f7bb9 35560->35561 35565 5ebf5e8 2 API calls 35561->35565 35566 5ebf538 2 API calls 35561->35566 35562 59f7cab 35563 59f7d7a KiUserExceptionDispatcher 35562->35563 35564 59f7d96 35563->35564 35564->35389 35565->35562 35566->35562 35568 59f7968 35567->35568 35569 59f7b9a KiUserExceptionDispatcher 35568->35569 35570 59f7bb9 35569->35570 35574 5ebf5e8 2 API calls 35570->35574 35575 5ebf538 2 API calls 35570->35575 35571 59f7cab 35572 59f7d7a KiUserExceptionDispatcher 35571->35572 35573 59f7d96 35572->35573 35573->35389 35574->35571 35575->35571 35577 59f7662 35576->35577 35578 59f7b9a KiUserExceptionDispatcher 35577->35578 35579 59f7bb9 35578->35579 35583 5ebf5e8 2 API calls 35579->35583 35584 5ebf538 2 API calls 35579->35584 35580 59f7cab 35581 59f7d7a KiUserExceptionDispatcher 35580->35581 35582 59f7d96 35581->35582 35582->35389 35583->35580 35584->35580 35586 59f7770 35585->35586 35587 59f7b9a KiUserExceptionDispatcher 35586->35587 35588 59f7bb9 35587->35588 35592 5ebf5e8 2 API calls 35588->35592 35593 5ebf538 2 API calls 35588->35593 35589 59f7cab 35590 59f7d7a KiUserExceptionDispatcher 35589->35590 35591 59f7d96 35590->35591 35591->35389 35592->35589 35593->35589 35595 59f7735 35594->35595 35596 59f7b9a KiUserExceptionDispatcher 35595->35596 35597 59f7bb9 35596->35597 35601 5ebf5e8 2 API calls 35597->35601 35602 5ebf538 2 API calls 35597->35602 35598 59f7cab 35599 59f7d7a KiUserExceptionDispatcher 35598->35599 35600 59f7d96 35599->35600 35600->35389 35601->35598 35602->35598 35604 59f7a37 35603->35604 35605 59f7b9a KiUserExceptionDispatcher 35604->35605 35606 59f7bb9 35605->35606 35610 5ebf5e8 2 API calls 35606->35610 35611 5ebf538 2 API calls 35606->35611 35607 59f7cab 35608 59f7d7a KiUserExceptionDispatcher 35607->35608 35609 59f7d96 35608->35609 35609->35389 35610->35607 35611->35607 35613 59f76bf 35612->35613 35614 59f7b9a KiUserExceptionDispatcher 35613->35614 35615 59f7bb9 35614->35615 35619 5ebf5e8 2 API calls 35615->35619 35620 5ebf538 2 API calls 35615->35620 35616 59f7cab 35617 59f7d7a KiUserExceptionDispatcher 35616->35617 35618 59f7d96 35617->35618 35618->35389 35619->35616 35620->35616 35622 59f7ac1 35621->35622 35623 59f7b9a KiUserExceptionDispatcher 35622->35623 35624 59f7bb9 35623->35624 35628 5ebf5e8 2 API calls 35624->35628 35629 5ebf538 2 API calls 35624->35629 35625 59f7cab 35626 59f7d7a KiUserExceptionDispatcher 35625->35626 35627 59f7d96 35626->35627 35627->35389 35628->35625 35629->35625 35631 59f7b4b 35630->35631 35632 59f7b9a KiUserExceptionDispatcher 35631->35632 35633 59f7bb9 35632->35633 35637 5ebf5e8 2 API calls 35633->35637 35638 5ebf538 2 API calls 35633->35638 35634 59f7cab 35635 59f7d7a KiUserExceptionDispatcher 35634->35635 35636 59f7d96 35635->35636 35636->35389 35637->35634 35638->35634 35640 59f7bcc 35639->35640 35644 5ebf5e8 2 API calls 35640->35644 35645 5ebf538 2 API calls 35640->35645 35641 59f7cab 35642 59f7d7a KiUserExceptionDispatcher 35641->35642 35643 59f7d96 35642->35643 35643->35389 35644->35641 35645->35641 35647 59f7c4d 35646->35647 35651 5ebf5e8 2 API calls 35647->35651 35652 5ebf538 2 API calls 35647->35652 35648 59f7cab 35649 59f7d7a KiUserExceptionDispatcher 35648->35649 35650 59f7d96 35649->35650 35650->35389 35651->35648 35652->35648 35654 59f7c11 35653->35654 35658 5ebf5e8 2 API calls 35654->35658 35659 5ebf538 2 API calls 35654->35659 35655 59f7cab 35656 59f7d7a KiUserExceptionDispatcher 35655->35656 35657 59f7d96 35656->35657 35657->35389 35658->35655 35659->35655 35661 59f7c92 35660->35661 35665 5ebf5e8 2 API calls 35661->35665 35666 5ebf538 2 API calls 35661->35666 35662 59f7cab 35663 59f7d7a KiUserExceptionDispatcher 35662->35663 35664 59f7d96 35663->35664 35664->35389 35665->35662 35666->35662 35668 59f7d1c 35667->35668 35669 59f7d7a KiUserExceptionDispatcher 35668->35669 35670 59f7d96 35669->35670 35670->35389 35672 59f7821 35671->35672 35673 59f7b9a KiUserExceptionDispatcher 35672->35673 35674 59f7bb9 35673->35674 35678 5ebf5e8 2 API calls 35674->35678 35679 5ebf538 2 API calls 35674->35679 35675 59f7cab 35676 59f7d7a KiUserExceptionDispatcher 35675->35676 35677 59f7d96 35676->35677 35677->35389 35678->35675 35679->35675 35681 59f78a2 35680->35681 35682 59f7b9a KiUserExceptionDispatcher 35681->35682 35683 59f7bb9 35682->35683 35687 5ebf5e8 2 API calls 35683->35687 35688 5ebf538 2 API calls 35683->35688 35684 59f7cab 35685 59f7d7a KiUserExceptionDispatcher 35684->35685 35686 59f7d96 35685->35686 35686->35389 35687->35684 35688->35684 35693 5ebf607 35689->35693 35690 5ebf871 35690->35455 35692 5ebb858 RegQueryValueExW 35692->35693 35693->35690 35693->35692 35700 5ebb84c 35693->35700 35695 5ebf559 35694->35695 35699 5ebf57c 35694->35699 35695->35455 35696 5ebf5a9 35696->35455 35697 5ebb84c RegOpenKeyExW 35697->35699 35698 5ebb858 RegQueryValueExW 35698->35699 35699->35696 35699->35697 35699->35698 35701 5ebf900 RegOpenKeyExW 35700->35701 35703 5ebf9c6 35701->35703 35704 2be47f0 35705 2be4804 35704->35705 35708 2be4a3a 35705->35708 35714 2be4c36 35708->35714 35719 2be4c1c 35708->35719 35724 2be4b0f 35708->35724 35729 2be4b20 35708->35729 35715 2be4c49 35714->35715 35716 2be4c5b 35714->35716 35734 2be4f28 35715->35734 35739 2be4f17 35715->35739 35720 2be4bcf 35719->35720 35721 2be4c5b 35720->35721 35722 2be4f28 2 API calls 35720->35722 35723 2be4f17 2 API calls 35720->35723 35722->35721 35723->35721 35725 2be4b64 35724->35725 35726 2be4c5b 35725->35726 35727 2be4f28 2 API calls 35725->35727 35728 2be4f17 2 API calls 35725->35728 35726->35726 35727->35726 35728->35726 35730 2be4b64 35729->35730 35731 2be4c5b 35730->35731 35732 2be4f28 2 API calls 35730->35732 35733 2be4f17 2 API calls 35730->35733 35732->35731 35733->35731 35735 2be4f36 35734->35735 35744 2be4f78 35735->35744 35748 2be4f67 35735->35748 35736 2be4f46 35736->35716 35740 2be4f36 35739->35740 35742 2be4f78 RtlEncodePointer 35740->35742 35743 2be4f67 RtlEncodePointer 35740->35743 35741 2be4f46 35741->35716 35742->35741 35743->35741 35745 2be4fb2 35744->35745 35746 2be4fdc RtlEncodePointer 35745->35746 35747 2be5005 35745->35747 35746->35747 35747->35736 35749 2be4fb2 35748->35749 35750 2be4fdc RtlEncodePointer 35749->35750 35751 2be5005 35749->35751 35750->35751 35751->35736

                                                                                    Executed Functions

                                                                                    Function 05EBE998 Relevance: 1.7, APIs: 1, Instructions: 185libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570623997.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_5eb0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: e73ff76b7b8f9b033d199a8c4b6663d1fef8f41ee5357b45cf14b6e2c8add175
                                                                                    • Instruction ID: 77407e1cba693532057d19ae536cecb4ac147a283f650083a8dc1569c98d8484
                                                                                    • Opcode Fuzzy Hash: e73ff76b7b8f9b033d199a8c4b6663d1fef8f41ee5357b45cf14b6e2c8add175
                                                                                    • Instruction Fuzzy Hash: C6711B70E00209CFEB14DFB4D599BEEBBB6BF8430AF108929D45697254DBB89D45CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7673 Relevance: 3.3, APIs: 2, Instructions: 347COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 59f7673-59f76d2 call 59f5990 call 59f5b20 167 59f76d2 call 5eb6531 0->167 168 59f76d2 call 5eb64d0 0->168 9 59f76d8-59f770d 171 59f770d call 5eb6f48 9->171 172 59f770d call 5eb6840 9->172 173 59f770d call 5eb7447 9->173 174 59f770d call 5eb6ff6 9->174 12 59f7713-59f7748 176 59f7748 call 5eb7508 12->176 177 59f7748 call 5eb74a8 12->177 178 59f7748 call 5eb7567 12->178 15 59f774e-59f7783 180 59f7783 call 5eb75c8 15->180 181 59f7783 call 5eb7628 15->181 18 59f7789-59f77f9 149 59f77f9 call 5eb7dd9 18->149 150 59f77f9 call 5eb7e88 18->150 24 59f77ff-59f78ac 154 59f78ac call 5eba5ef 24->154 155 59f78ac call 5eba6f0 24->155 33 59f78b2-59f7936 call 5ebab20 160 59f7936 call 5ebada8 33->160 161 59f7936 call 5ebad48 33->161 39 59f793c-59f79c0 165 59f79c0 call 5ebba28 39->165 166 59f79c0 call 5ebcd31 39->166 45 59f79c6-59f7a05 169 59f7a05 call 5ebcdf9 45->169 170 59f7a05 call 5ebcfe8 45->170 48 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 151 59f7bdf call 5ebec89 48->151 152 59f7bdf call 5ebece8 48->152 68 59f7be5-59f7ca5 call 5ebf058 * 2 158 59f7ca5 call 5ebf5e8 68->158 159 59f7ca5 call 5ebf538 68->159 77 59f7cab-59f7cea 162 59f7cea call 59ff6f1 77->162 163 59f7cea call 59ff700 77->163 164 59f7cea call 59ffa30 77->164 80 59f7cf0-59f8300 KiUserExceptionDispatcher 146 59f8306-59f8355 80->146 149->24 150->24 151->68 152->68 154->33 155->33 158->77 159->77 160->39 161->39 162->80 163->80 164->80 165->45 166->45 167->9 168->9 169->48 170->48 171->12 172->12 173->12 174->12 176->15 177->15 178->15 180->18 181->18
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 1d88321a01c52f5a79f678e284e3b56dc357e506901f6bbe056b4189d85fd6a7
                                                                                    • Instruction ID: fac3cfdcc849b1de4b26c1e5d2080a732896f35bc907b6f46286a5ed1cfd8f41
                                                                                    • Opcode Fuzzy Hash: 1d88321a01c52f5a79f678e284e3b56dc357e506901f6bbe056b4189d85fd6a7
                                                                                    • Instruction Fuzzy Hash: 6D028438905228CFCBA8DB74D94D698BBB6FF49306F1045E9D50AA6310CF7A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F765C Relevance: 3.3, APIs: 2, Instructions: 346COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 183 59f765c-59f76d2 call 5eb51e8 332 59f76d2 call 5eb6531 183->332 333 59f76d2 call 5eb64d0 183->333 190 59f76d8-59f770d 336 59f770d call 5eb6f48 190->336 337 59f770d call 5eb6840 190->337 338 59f770d call 5eb7447 190->338 339 59f770d call 5eb6ff6 190->339 193 59f7713-59f7748 341 59f7748 call 5eb7508 193->341 342 59f7748 call 5eb74a8 193->342 343 59f7748 call 5eb7567 193->343 196 59f774e-59f7783 345 59f7783 call 5eb75c8 196->345 346 59f7783 call 5eb7628 196->346 199 59f7789-59f77f9 348 59f77f9 call 5eb7dd9 199->348 349 59f77f9 call 5eb7e88 199->349 205 59f77ff-59f78ac 353 59f78ac call 5eba5ef 205->353 354 59f78ac call 5eba6f0 205->354 214 59f78b2-59f7936 call 5ebab20 359 59f7936 call 5ebada8 214->359 360 59f7936 call 5ebad48 214->360 220 59f793c-59f79c0 330 59f79c0 call 5ebba28 220->330 331 59f79c0 call 5ebcd31 220->331 226 59f79c6-59f7a05 334 59f7a05 call 5ebcdf9 226->334 335 59f7a05 call 5ebcfe8 226->335 229 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 350 59f7bdf call 5ebec89 229->350 351 59f7bdf call 5ebece8 229->351 249 59f7be5-59f7ca5 call 5ebf058 * 2 357 59f7ca5 call 5ebf5e8 249->357 358 59f7ca5 call 5ebf538 249->358 258 59f7cab-59f7cea 362 59f7cea call 59ff6f1 258->362 363 59f7cea call 59ff700 258->363 364 59f7cea call 59ffa30 258->364 261 59f7cf0-59f8300 KiUserExceptionDispatcher 327 59f8306-59f8355 261->327 330->226 331->226 332->190 333->190 334->229 335->229 336->193 337->193 338->193 339->193 341->196 342->196 343->196 345->199 346->199 348->205 349->205 350->249 351->249 353->214 354->214 357->258 358->258 359->220 360->220 362->261 363->261 364->261
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: e21a50922902359eb1b8b6dd1b2e2a92fd40f082d3e41b53114a0b3313511371
                                                                                    • Instruction ID: beca9a21ed95799aa22238e885cb266f5b69193e678001378ecc1664895c20b9
                                                                                    • Opcode Fuzzy Hash: e21a50922902359eb1b8b6dd1b2e2a92fd40f082d3e41b53114a0b3313511371
                                                                                    • Instruction Fuzzy Hash: E3028438905268CFCBA8DB70D94D698BBB6FF49306F1045E9E50A96310CF7A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F76AE Relevance: 3.3, APIs: 2, Instructions: 341COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 365 59f76ae-59f76d2 call 59f5990 call 59f5b20 513 59f76d2 call 5eb6531 365->513 514 59f76d2 call 5eb64d0 365->514 371 59f76d8-59f770d 517 59f770d call 5eb6f48 371->517 518 59f770d call 5eb6840 371->518 519 59f770d call 5eb7447 371->519 520 59f770d call 5eb6ff6 371->520 374 59f7713-59f7748 522 59f7748 call 5eb7508 374->522 523 59f7748 call 5eb74a8 374->523 524 59f7748 call 5eb7567 374->524 377 59f774e-59f7783 526 59f7783 call 5eb75c8 377->526 527 59f7783 call 5eb7628 377->527 380 59f7789-59f77f9 529 59f77f9 call 5eb7dd9 380->529 530 59f77f9 call 5eb7e88 380->530 386 59f77ff-59f78ac 534 59f78ac call 5eba5ef 386->534 535 59f78ac call 5eba6f0 386->535 395 59f78b2-59f7936 call 5ebab20 540 59f7936 call 5ebada8 395->540 541 59f7936 call 5ebad48 395->541 401 59f793c-59f79c0 511 59f79c0 call 5ebba28 401->511 512 59f79c0 call 5ebcd31 401->512 407 59f79c6-59f7a05 515 59f7a05 call 5ebcdf9 407->515 516 59f7a05 call 5ebcfe8 407->516 410 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 531 59f7bdf call 5ebec89 410->531 532 59f7bdf call 5ebece8 410->532 430 59f7be5-59f7ca5 call 5ebf058 * 2 538 59f7ca5 call 5ebf5e8 430->538 539 59f7ca5 call 5ebf538 430->539 439 59f7cab-59f7cea 542 59f7cea call 59ff6f1 439->542 543 59f7cea call 59ff700 439->543 544 59f7cea call 59ffa30 439->544 442 59f7cf0-59f8300 KiUserExceptionDispatcher 508 59f8306-59f8355 442->508 511->407 512->407 513->371 514->371 515->410 516->410 517->374 518->374 519->374 520->374 522->377 523->377 524->377 526->380 527->380 529->386 530->386 531->430 532->430 534->395 535->395 538->439 539->439 540->401 541->401 542->442 543->442 544->442
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 88fdfb52d4592e2fdf43713b046fcbf57bb542f01b98b740d4baaeb27b8d0e3a
                                                                                    • Instruction ID: c900856bf4bfc374ab5314175b7df3ac983532d90a4ad2c5bc9fd31dbf347262
                                                                                    • Opcode Fuzzy Hash: 88fdfb52d4592e2fdf43713b046fcbf57bb542f01b98b740d4baaeb27b8d0e3a
                                                                                    • Instruction Fuzzy Hash: 02028438905268CFCBA4DB70D94D698BBB6FF49306F1045E9D509A6310CF7A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F76E9 Relevance: 3.3, APIs: 2, Instructions: 335COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 545 59f76e9-59f770d call 59f5990 call 59f5b20 699 59f770d call 5eb6f48 545->699 700 59f770d call 5eb6840 545->700 701 59f770d call 5eb7447 545->701 702 59f770d call 5eb6ff6 545->702 551 59f7713-59f7748 704 59f7748 call 5eb7508 551->704 705 59f7748 call 5eb74a8 551->705 706 59f7748 call 5eb7567 551->706 554 59f774e-59f7783 708 59f7783 call 5eb75c8 554->708 709 59f7783 call 5eb7628 554->709 557 59f7789-59f77f9 711 59f77f9 call 5eb7dd9 557->711 712 59f77f9 call 5eb7e88 557->712 563 59f77ff-59f78ac 716 59f78ac call 5eba5ef 563->716 717 59f78ac call 5eba6f0 563->717 572 59f78b2-59f7936 call 5ebab20 690 59f7936 call 5ebada8 572->690 691 59f7936 call 5ebad48 572->691 578 59f793c-59f79c0 695 59f79c0 call 5ebba28 578->695 696 59f79c0 call 5ebcd31 578->696 584 59f79c6-59f7a05 697 59f7a05 call 5ebcdf9 584->697 698 59f7a05 call 5ebcfe8 584->698 587 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 713 59f7bdf call 5ebec89 587->713 714 59f7bdf call 5ebece8 587->714 607 59f7be5-59f7ca5 call 5ebf058 * 2 688 59f7ca5 call 5ebf5e8 607->688 689 59f7ca5 call 5ebf538 607->689 616 59f7cab-59f7cea 692 59f7cea call 59ff6f1 616->692 693 59f7cea call 59ff700 616->693 694 59f7cea call 59ffa30 616->694 619 59f7cf0-59f8300 KiUserExceptionDispatcher 685 59f8306-59f8355 619->685 688->616 689->616 690->578 691->578 692->619 693->619 694->619 695->584 696->584 697->587 698->587 699->551 700->551 701->551 702->551 704->554 705->554 706->554 708->557 709->557 711->563 712->563 713->607 714->607 716->572 717->572
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 463958eaa83f5b8b8d401261dfb47c0bbcded7d0f901a46fb8325c3f5309c272
                                                                                    • Instruction ID: 2a490725beab17b94ccc28c34e6e4c06a69fb620ba58fb35c0b3440688d859cd
                                                                                    • Opcode Fuzzy Hash: 463958eaa83f5b8b8d401261dfb47c0bbcded7d0f901a46fb8325c3f5309c272
                                                                                    • Instruction Fuzzy Hash: 64028438905268CFCBA4DB70D94D698BBB6FF49306F1045E9D509A6310CB7A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7724 Relevance: 3.3, APIs: 2, Instructions: 329COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 723594ea61fd24d0903c5690642f18be82265b16628c4a12590bca17b216e50c
                                                                                    • Instruction ID: 708954b39a16eeca1795ad8970ede6658fbc859777035f07eab90bfda322eb35
                                                                                    • Opcode Fuzzy Hash: 723594ea61fd24d0903c5690642f18be82265b16628c4a12590bca17b216e50c
                                                                                    • Instruction Fuzzy Hash: 7D028438905268CFCBA4DB70D94D698BBB6FF49306F1045E9D509A6310CB7A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F775F Relevance: 3.3, APIs: 2, Instructions: 323COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 888 59f775f-59f7783 call 59f5990 call 59f5b20 1045 59f7783 call 5eb75c8 888->1045 1046 59f7783 call 5eb7628 888->1046 894 59f7789-59f77f9 1048 59f77f9 call 5eb7dd9 894->1048 1049 59f77f9 call 5eb7e88 894->1049 900 59f77ff-59f78ac 1028 59f78ac call 5eba5ef 900->1028 1029 59f78ac call 5eba6f0 900->1029 909 59f78b2-59f7936 call 5ebab20 1034 59f7936 call 5ebada8 909->1034 1035 59f7936 call 5ebad48 909->1035 915 59f793c-59f79c0 1039 59f79c0 call 5ebba28 915->1039 1040 59f79c0 call 5ebcd31 915->1040 921 59f79c6-59f7a05 1041 59f7a05 call 5ebcdf9 921->1041 1042 59f7a05 call 5ebcfe8 921->1042 924 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 1025 59f7bdf call 5ebec89 924->1025 1026 59f7bdf call 5ebece8 924->1026 944 59f7be5-59f7ca5 call 5ebf058 * 2 1032 59f7ca5 call 5ebf5e8 944->1032 1033 59f7ca5 call 5ebf538 944->1033 953 59f7cab-59f7cea 1036 59f7cea call 59ff6f1 953->1036 1037 59f7cea call 59ff700 953->1037 1038 59f7cea call 59ffa30 953->1038 956 59f7cf0-59f8300 KiUserExceptionDispatcher 1022 59f8306-59f8355 956->1022 1025->944 1026->944 1028->909 1029->909 1032->953 1033->953 1034->915 1035->915 1036->956 1037->956 1038->956 1039->921 1040->921 1041->924 1042->924 1045->894 1046->894 1048->900 1049->900
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: a08601e066ed909c502e3f3bd7ff9a38035d2e06790c32bc3eb39356807a4b3e
                                                                                    • Instruction ID: 5374da800d3bee84f8798f784eb36f89d114b01a81cdfd8a592d3ddef1576eb3
                                                                                    • Opcode Fuzzy Hash: a08601e066ed909c502e3f3bd7ff9a38035d2e06790c32bc3eb39356807a4b3e
                                                                                    • Instruction Fuzzy Hash: 50F18338905268CFCBA8DB70D98D698BBB6FF49306F1045E9D509A6310CB7A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F779A Relevance: 3.3, APIs: 2, Instructions: 317COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1050 59f779a-59f77f9 call 59f5990 call 59f5b20 1186 59f77f9 call 5eb7dd9 1050->1186 1187 59f77f9 call 5eb7e88 1050->1187 1059 59f77ff-59f78ac 1191 59f78ac call 5eba5ef 1059->1191 1192 59f78ac call 5eba6f0 1059->1192 1068 59f78b2-59f7936 call 5ebab20 1197 59f7936 call 5ebada8 1068->1197 1198 59f7936 call 5ebad48 1068->1198 1074 59f793c-59f79c0 1202 59f79c0 call 5ebba28 1074->1202 1203 59f79c0 call 5ebcd31 1074->1203 1080 59f79c6-59f7a05 1204 59f7a05 call 5ebcdf9 1080->1204 1205 59f7a05 call 5ebcfe8 1080->1205 1083 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 1188 59f7bdf call 5ebec89 1083->1188 1189 59f7bdf call 5ebece8 1083->1189 1103 59f7be5-59f7ca5 call 5ebf058 * 2 1195 59f7ca5 call 5ebf5e8 1103->1195 1196 59f7ca5 call 5ebf538 1103->1196 1112 59f7cab-59f7cea 1199 59f7cea call 59ff6f1 1112->1199 1200 59f7cea call 59ff700 1112->1200 1201 59f7cea call 59ffa30 1112->1201 1115 59f7cf0-59f8300 KiUserExceptionDispatcher 1181 59f8306-59f8355 1115->1181 1186->1059 1187->1059 1188->1103 1189->1103 1191->1068 1192->1068 1195->1112 1196->1112 1197->1074 1198->1074 1199->1115 1200->1115 1201->1115 1202->1080 1203->1080 1204->1083 1205->1083
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: f08f2208e67248ec12b30327e0d6a740eb068aed934cb72391c445c9c22aa40d
                                                                                    • Instruction ID: d52e88f0faed99bf69429d27bed555ef00fea8904953519d51bde1cf233de324
                                                                                    • Opcode Fuzzy Hash: f08f2208e67248ec12b30327e0d6a740eb068aed934cb72391c445c9c22aa40d
                                                                                    • Instruction Fuzzy Hash: 71F18338905268CFCBA4DB70D98D698BBB6FF49306F1045E9D509A6310CB7A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F77D5 Relevance: 3.3, APIs: 2, Instructions: 311COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1207 59f77d5-59f77f9 call 59f5990 call 59f5b20 1339 59f77f9 call 5eb7dd9 1207->1339 1340 59f77f9 call 5eb7e88 1207->1340 1213 59f77ff-59f78ac 1344 59f78ac call 5eba5ef 1213->1344 1345 59f78ac call 5eba6f0 1213->1345 1222 59f78b2-59f7936 call 5ebab20 1350 59f7936 call 5ebada8 1222->1350 1351 59f7936 call 5ebad48 1222->1351 1228 59f793c-59f79c0 1355 59f79c0 call 5ebba28 1228->1355 1356 59f79c0 call 5ebcd31 1228->1356 1234 59f79c6-59f7a05 1357 59f7a05 call 5ebcdf9 1234->1357 1358 59f7a05 call 5ebcfe8 1234->1358 1237 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 1341 59f7bdf call 5ebec89 1237->1341 1342 59f7bdf call 5ebece8 1237->1342 1257 59f7be5-59f7ca5 call 5ebf058 * 2 1348 59f7ca5 call 5ebf5e8 1257->1348 1349 59f7ca5 call 5ebf538 1257->1349 1266 59f7cab-59f7cea 1352 59f7cea call 59ff6f1 1266->1352 1353 59f7cea call 59ff700 1266->1353 1354 59f7cea call 59ffa30 1266->1354 1269 59f7cf0-59f8300 KiUserExceptionDispatcher 1335 59f8306-59f8355 1269->1335 1339->1213 1340->1213 1341->1257 1342->1257 1344->1222 1345->1222 1348->1266 1349->1266 1350->1228 1351->1228 1352->1269 1353->1269 1354->1269 1355->1234 1356->1234 1357->1237 1358->1237
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 2d8e1535c6fafe90ad248c91db10c6ba72ff8736c8a4a8e30bb3c1220c6054f8
                                                                                    • Instruction ID: 468cf05be7766221dc8fa8ed1580975583f7cf121a527db885c89e907107ce99
                                                                                    • Opcode Fuzzy Hash: 2d8e1535c6fafe90ad248c91db10c6ba72ff8736c8a4a8e30bb3c1220c6054f8
                                                                                    • Instruction Fuzzy Hash: F0F18338905268CFCBA4DB70D98D698BBB6FF49306F5045E9D509A6310CB3A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7810 Relevance: 3.3, APIs: 2, Instructions: 305COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1361 59f7810-59f78ac call 59f5990 call 59f5b20 1495 59f78ac call 5eba5ef 1361->1495 1496 59f78ac call 5eba6f0 1361->1496 1373 59f78b2-59f7936 call 5ebab20 1501 59f7936 call 5ebada8 1373->1501 1502 59f7936 call 5ebad48 1373->1502 1379 59f793c-59f79c0 1506 59f79c0 call 5ebba28 1379->1506 1507 59f79c0 call 5ebcd31 1379->1507 1385 59f79c6-59f7a05 1508 59f7a05 call 5ebcdf9 1385->1508 1509 59f7a05 call 5ebcfe8 1385->1509 1388 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 1492 59f7bdf call 5ebec89 1388->1492 1493 59f7bdf call 5ebece8 1388->1493 1408 59f7be5-59f7ca5 call 5ebf058 * 2 1499 59f7ca5 call 5ebf5e8 1408->1499 1500 59f7ca5 call 5ebf538 1408->1500 1417 59f7cab-59f7cea 1503 59f7cea call 59ff6f1 1417->1503 1504 59f7cea call 59ff700 1417->1504 1505 59f7cea call 59ffa30 1417->1505 1420 59f7cf0-59f8300 KiUserExceptionDispatcher 1486 59f8306-59f8355 1420->1486 1492->1408 1493->1408 1495->1373 1496->1373 1499->1417 1500->1417 1501->1379 1502->1379 1503->1420 1504->1420 1505->1420 1506->1385 1507->1385 1508->1388 1509->1388
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 012805bbc601008ad763b1cb93ce630fba65517cc8e10b851f215087968c1d36
                                                                                    • Instruction ID: ddb5b120c5f394ceafca15091578f193ada818017b17f4767a6f629c93a097ab
                                                                                    • Opcode Fuzzy Hash: 012805bbc601008ad763b1cb93ce630fba65517cc8e10b851f215087968c1d36
                                                                                    • Instruction Fuzzy Hash: A4F17238905268CFCBA4DB70D98D698BBB6FF49306F5045E9D509A6310CB3A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7855 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1510 59f7855-59f78ac call 59f5990 call 59f5b20 1647 59f78ac call 5eba5ef 1510->1647 1648 59f78ac call 5eba6f0 1510->1648 1519 59f78b2-59f7936 call 5ebab20 1652 59f7936 call 5ebada8 1519->1652 1653 59f7936 call 5ebad48 1519->1653 1525 59f793c-59f79c0 1638 59f79c0 call 5ebba28 1525->1638 1639 59f79c0 call 5ebcd31 1525->1639 1531 59f79c6-59f7a05 1640 59f7a05 call 5ebcdf9 1531->1640 1641 59f7a05 call 5ebcfe8 1531->1641 1534 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 1645 59f7bdf call 5ebec89 1534->1645 1646 59f7bdf call 5ebece8 1534->1646 1554 59f7be5-59f7ca5 call 5ebf058 * 2 1654 59f7ca5 call 5ebf5e8 1554->1654 1655 59f7ca5 call 5ebf538 1554->1655 1563 59f7cab-59f7cea 1635 59f7cea call 59ff6f1 1563->1635 1636 59f7cea call 59ff700 1563->1636 1637 59f7cea call 59ffa30 1563->1637 1566 59f7cf0-59f8300 KiUserExceptionDispatcher 1632 59f8306-59f8355 1566->1632 1635->1566 1636->1566 1637->1566 1638->1531 1639->1531 1640->1534 1641->1534 1645->1554 1646->1554 1647->1519 1648->1519 1652->1525 1653->1525 1654->1563 1655->1563
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 640b4dd5a41ab0321933d33666407afc661459c8ebfccfa05d80d5e9e3840bd0
                                                                                    • Instruction ID: 34603c681d8f093d99b9a137442ddb24e58878caca7877836384bb522f8de452
                                                                                    • Opcode Fuzzy Hash: 640b4dd5a41ab0321933d33666407afc661459c8ebfccfa05d80d5e9e3840bd0
                                                                                    • Instruction Fuzzy Hash: 1CF17238905268CFCBA8DB70D98D698BBB6FF49306F5045E9D509A6310CB3A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7891 Relevance: 3.3, APIs: 2, Instructions: 289COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1656 59f7891-59f78ac call 59f5990 call 59f5b20 1779 59f78ac call 5eba5ef 1656->1779 1780 59f78ac call 5eba6f0 1656->1780 1662 59f78b2-59f7936 call 5ebab20 1785 59f7936 call 5ebada8 1662->1785 1786 59f7936 call 5ebad48 1662->1786 1668 59f793c-59f79c0 1790 59f79c0 call 5ebba28 1668->1790 1791 59f79c0 call 5ebcd31 1668->1791 1674 59f79c6-59f7a05 1792 59f7a05 call 5ebcdf9 1674->1792 1793 59f7a05 call 5ebcfe8 1674->1793 1677 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 1797 59f7bdf call 5ebec89 1677->1797 1798 59f7bdf call 5ebece8 1677->1798 1697 59f7be5-59f7ca5 call 5ebf058 * 2 1783 59f7ca5 call 5ebf5e8 1697->1783 1784 59f7ca5 call 5ebf538 1697->1784 1706 59f7cab-59f7cea 1787 59f7cea call 59ff6f1 1706->1787 1788 59f7cea call 59ff700 1706->1788 1789 59f7cea call 59ffa30 1706->1789 1709 59f7cf0-59f8300 KiUserExceptionDispatcher 1775 59f8306-59f8355 1709->1775 1779->1662 1780->1662 1783->1706 1784->1706 1785->1668 1786->1668 1787->1709 1788->1709 1789->1709 1790->1674 1791->1674 1792->1677 1793->1677 1797->1697 1798->1697
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 20f35b03751b23f0c2013ecc521ac66c5926b2cafdcb36d41ed5e49da188e164
                                                                                    • Instruction ID: fb974e4af80d1cb1df9d1d064c204bbd27fbde0c120c21bcb1d72e31a8aaf284
                                                                                    • Opcode Fuzzy Hash: 20f35b03751b23f0c2013ecc521ac66c5926b2cafdcb36d41ed5e49da188e164
                                                                                    • Instruction Fuzzy Hash: 44E17238905268CFCBA8DB70D98D698BBB6FF49306F5045E9D509A6310CB3A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F78CD Relevance: 3.3, APIs: 2, Instructions: 284COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1799 59f78cd-59f7936 call 59f5990 call 59f5b20 call 5ebab20 1923 59f7936 call 5ebada8 1799->1923 1924 59f7936 call 5ebad48 1799->1924 1808 59f793c-59f79c0 1930 59f79c0 call 5ebba28 1808->1930 1931 59f79c0 call 5ebcd31 1808->1931 1814 59f79c6-59f7a05 1932 59f7a05 call 5ebcdf9 1814->1932 1933 59f7a05 call 5ebcfe8 1814->1933 1817 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 1918 59f7bdf call 5ebec89 1817->1918 1919 59f7bdf call 5ebece8 1817->1919 1837 59f7be5-59f7ca5 call 5ebf058 * 2 1925 59f7ca5 call 5ebf5e8 1837->1925 1926 59f7ca5 call 5ebf538 1837->1926 1846 59f7cab-59f7cea 1927 59f7cea call 59ff6f1 1846->1927 1928 59f7cea call 59ff700 1846->1928 1929 59f7cea call 59ffa30 1846->1929 1849 59f7cf0-59f8300 KiUserExceptionDispatcher 1915 59f8306-59f8355 1849->1915 1918->1837 1919->1837 1923->1808 1924->1808 1925->1846 1926->1846 1927->1849 1928->1849 1929->1849 1930->1814 1931->1814 1932->1817 1933->1817
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: af5425978abcad8ddf01737908367d89684d5b566e643af6aa1d53e4f4b13345
                                                                                    • Instruction ID: 6be1dc7641c9c552018abb20ede98592aa742e1b34bd8f4f64ab46c8efc0b268
                                                                                    • Opcode Fuzzy Hash: af5425978abcad8ddf01737908367d89684d5b566e643af6aa1d53e4f4b13345
                                                                                    • Instruction Fuzzy Hash: 6BE18238905268CFCBA8DB70D94D698BBB6FF49306F1045E9D509A6310CB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7912 Relevance: 3.3, APIs: 2, Instructions: 277COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1937 59f7912-59f7936 call 59f5990 call 59f5b20 2060 59f7936 call 5ebada8 1937->2060 2061 59f7936 call 5ebad48 1937->2061 1943 59f793c-59f79c0 2067 59f79c0 call 5ebba28 1943->2067 2068 59f79c0 call 5ebcd31 1943->2068 1949 59f79c6-59f7a05 2069 59f7a05 call 5ebcdf9 1949->2069 2070 59f7a05 call 5ebcfe8 1949->2070 1952 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 2056 59f7bdf call 5ebec89 1952->2056 2057 59f7bdf call 5ebece8 1952->2057 1972 59f7be5-59f7ca5 call 5ebf058 * 2 2062 59f7ca5 call 5ebf5e8 1972->2062 2063 59f7ca5 call 5ebf538 1972->2063 1981 59f7cab-59f7cea 2064 59f7cea call 59ff6f1 1981->2064 2065 59f7cea call 59ff700 1981->2065 2066 59f7cea call 59ffa30 1981->2066 1984 59f7cf0-59f8300 KiUserExceptionDispatcher 2050 59f8306-59f8355 1984->2050 2056->1972 2057->1972 2060->1943 2061->1943 2062->1981 2063->1981 2064->1984 2065->1984 2066->1984 2067->1949 2068->1949 2069->1952 2070->1952
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 08554f066021455f3b9748509fdac7726252911444e7b8e586b2a705bacb48ff
                                                                                    • Instruction ID: 6143b93622b54616e647f3b442e956d0af3ba0dd643d39d7fb907e3f276f578d
                                                                                    • Opcode Fuzzy Hash: 08554f066021455f3b9748509fdac7726252911444e7b8e586b2a705bacb48ff
                                                                                    • Instruction Fuzzy Hash: 14E18238905268CFCBA8DF70D94D698BBB6FF49306F1046E9D509A6310DB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7957 Relevance: 3.3, APIs: 2, Instructions: 270COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2071 59f7957-59f79c0 call 59f5990 call 59f5b20 2184 59f79c0 call 5ebba28 2071->2184 2185 59f79c0 call 5ebcd31 2071->2185 2080 59f79c6-59f7a05 2186 59f7a05 call 5ebcdf9 2080->2186 2187 59f7a05 call 5ebcfe8 2080->2187 2083 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 2191 59f7bdf call 5ebec89 2083->2191 2192 59f7bdf call 5ebece8 2083->2192 2103 59f7be5-59f7ca5 call 5ebf058 * 2 2195 59f7ca5 call 5ebf5e8 2103->2195 2196 59f7ca5 call 5ebf538 2103->2196 2112 59f7cab-59f7cea 2197 59f7cea call 59ff6f1 2112->2197 2198 59f7cea call 59ff700 2112->2198 2199 59f7cea call 59ffa30 2112->2199 2115 59f7cf0-59f8300 KiUserExceptionDispatcher 2181 59f8306-59f8355 2115->2181 2184->2080 2185->2080 2186->2083 2187->2083 2191->2103 2192->2103 2195->2112 2196->2112 2197->2115 2198->2115 2199->2115
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 8607c0becd07aaad8f8c5bc237d51036fb3c8c81a3e049399576aedbee614cae
                                                                                    • Instruction ID: 3547dda2f4860a1bf99c3e6c5e183e9ed4f7b075c784299290985d4f5fb5c3e6
                                                                                    • Opcode Fuzzy Hash: 8607c0becd07aaad8f8c5bc237d51036fb3c8c81a3e049399576aedbee614cae
                                                                                    • Instruction Fuzzy Hash: DBE18238905268CFCBA8DB70D94D698BBB6FF49306F5045E9D509A6310CB3A9EC1CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F799C Relevance: 3.3, APIs: 2, Instructions: 263COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2200 59f799c-59f79c0 call 59f5990 call 59f5b20 2319 59f79c0 call 5ebba28 2200->2319 2320 59f79c0 call 5ebcd31 2200->2320 2206 59f79c6-59f7a05 2321 59f7a05 call 5ebcdf9 2206->2321 2322 59f7a05 call 5ebcfe8 2206->2322 2209 59f7a0b-59f7bdf call 5ebd2e8 call 5ebe050 call 5ebe170 KiUserExceptionDispatcher 2310 59f7bdf call 5ebec89 2209->2310 2311 59f7bdf call 5ebece8 2209->2311 2229 59f7be5-59f7ca5 call 5ebf058 * 2 2314 59f7ca5 call 5ebf5e8 2229->2314 2315 59f7ca5 call 5ebf538 2229->2315 2238 59f7cab-59f7cea 2316 59f7cea call 59ff6f1 2238->2316 2317 59f7cea call 59ff700 2238->2317 2318 59f7cea call 59ffa30 2238->2318 2241 59f7cf0-59f8300 KiUserExceptionDispatcher 2307 59f8306-59f8355 2241->2307 2310->2229 2311->2229 2314->2238 2315->2238 2316->2241 2317->2241 2318->2241 2319->2206 2320->2206 2321->2209 2322->2209
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 31598565a6aa2cf90100ffe9ef98749681b368144fc2fa9dab85db9e145f9f30
                                                                                    • Instruction ID: 0e82999d7b202c3140689e2a56893906a2c6a3dd3ef84eefb109317a2703773f
                                                                                    • Opcode Fuzzy Hash: 31598565a6aa2cf90100ffe9ef98749681b368144fc2fa9dab85db9e145f9f30
                                                                                    • Instruction Fuzzy Hash: B1D18238905268CFCBA8DB70D94D698BBB6FF49306F1046E9D509A6310DB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F79E1 Relevance: 3.3, APIs: 2, Instructions: 256COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: e811e2f8454debeceae5a3264233e02d9f2174cfc729659aeec3f3ba5f141657
                                                                                    • Instruction ID: be00d6f43290e48f47847892231e15d4fcd0faf6924cf47254d3638cb52376ee
                                                                                    • Opcode Fuzzy Hash: e811e2f8454debeceae5a3264233e02d9f2174cfc729659aeec3f3ba5f141657
                                                                                    • Instruction Fuzzy Hash: 76D18138905268CFCBA8DB70D94D698BBB6FF49306F1046E9D509A6310DB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7A26 Relevance: 3.2, APIs: 2, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 8af025f0b38ad698c131f4e5730e44b6bd15d4d763b2292c58fd0110f841c598
                                                                                    • Instruction ID: e8b9e0e5a09afdbf305fd025e941935793a509c622c1baafd1fc8fa84bd03d12
                                                                                    • Opcode Fuzzy Hash: 8af025f0b38ad698c131f4e5730e44b6bd15d4d763b2292c58fd0110f841c598
                                                                                    • Instruction Fuzzy Hash: 7FD18238905268CFCBA8DB70D94D698BBB6FF49306F5046E9D50DA6310CB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7A6B Relevance: 3.2, APIs: 2, Instructions: 242COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: c1dcac242fb8aaca57d6c34b2d833afa82c69a52604b50d6b82b4b3fb49d58b5
                                                                                    • Instruction ID: 9de0c9fd555f1499aaecbf348a5e0a453007ef3eb0cc33a8b6d7ff5e07a36846
                                                                                    • Opcode Fuzzy Hash: c1dcac242fb8aaca57d6c34b2d833afa82c69a52604b50d6b82b4b3fb49d58b5
                                                                                    • Instruction Fuzzy Hash: 5BC18138905268CFCBA8DB70D94D698BBB6FF49306F5046E9D50DA6310CB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7AB0 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 0a13aa3e9e7bf55f73b33bd379c275c1a88f3a6c10bdeb469b94d35fd37f9d7f
                                                                                    • Instruction ID: 1d69e9371a05c20fd16da9570be47ab2076e27fb9ac16794139f401fbafd6e3b
                                                                                    • Opcode Fuzzy Hash: 0a13aa3e9e7bf55f73b33bd379c275c1a88f3a6c10bdeb469b94d35fd37f9d7f
                                                                                    • Instruction Fuzzy Hash: A6C18238905268CFCBA8DB70D94D698BBB6FF49306F5046E9D50DA6310CB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7AF5 Relevance: 3.2, APIs: 2, Instructions: 228COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: c4f764a7c8fcae918551482b14a4fd2ab7d0d61b0d6bcabad5dac54594e849df
                                                                                    • Instruction ID: 94ec837a87d21ac8552064a973fdaab49899fe5baf13dec971c4cc051f7dbe90
                                                                                    • Opcode Fuzzy Hash: c4f764a7c8fcae918551482b14a4fd2ab7d0d61b0d6bcabad5dac54594e849df
                                                                                    • Instruction Fuzzy Hash: 65C19238905228CFCBA8DB70D94D698BBB6FF49306F5046E9D50DA6310CB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7B3A Relevance: 3.2, APIs: 2, Instructions: 221COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 3f4aa18c08d40924867a4a92ea3da3c68f700e5b476bb879cdc250ce3b5127c8
                                                                                    • Instruction ID: c229a758c1cca3ecf2bacebe96000e7ffb5c1fa9f09b9cf472172cee4f337edc
                                                                                    • Opcode Fuzzy Hash: 3f4aa18c08d40924867a4a92ea3da3c68f700e5b476bb879cdc250ce3b5127c8
                                                                                    • Instruction Fuzzy Hash: 10B19138905228CFCBA8DB70D94D698BBB6FF49306F5046E9D50DA6310CB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7B7F Relevance: 3.2, APIs: 2, Instructions: 212COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7B9A
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 54137ec266ecdacec046dccbe934a913d9eb2d05ab55bb55aae1a87c4d81e08d
                                                                                    • Instruction ID: 10961776d7e5f1f822371de946ecf150e55a1adce586c91496c45b2fcff74f28
                                                                                    • Opcode Fuzzy Hash: 54137ec266ecdacec046dccbe934a913d9eb2d05ab55bb55aae1a87c4d81e08d
                                                                                    • Instruction Fuzzy Hash: 55B18138905228CFCBA8DB74D94D698BBB6FF49306F5046E9D50DA6310CB369E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7BBB Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 081668a5ebc1febf30f6fbe1e171515f8dd5b3dfae8b988ce75bc0bbe66cc2dc
                                                                                    • Instruction ID: 31109336a2c5bcaaf92cf9d5d0427ed961be2639b0a1d0a70ba4adf0b1cdc245
                                                                                    • Opcode Fuzzy Hash: 081668a5ebc1febf30f6fbe1e171515f8dd5b3dfae8b988ce75bc0bbe66cc2dc
                                                                                    • Instruction Fuzzy Hash: 72B19138905228CFCBA8DB74D94D698BBB2FF49306F5046E9D50DA6310CB3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7C00 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 2ae270ac9868193f4a2d828bca765c3f0409151c02aa561235d1a16bc737153a
                                                                                    • Instruction ID: 9166c895c6add1f7d4e9c4f70612a3deacb96a04dc6c3e2410b61d3466146234
                                                                                    • Opcode Fuzzy Hash: 2ae270ac9868193f4a2d828bca765c3f0409151c02aa561235d1a16bc737153a
                                                                                    • Instruction Fuzzy Hash: 82A19138905228CFCBA8DB74D94D698BBB6FF49306F5046E9D50EA6310CB369E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7C3C Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 9f8816eae51d1ef8645f2c854fc9413a862315e1931c598ab47cd0384c91a56a
                                                                                    • Instruction ID: 7bfae72305baebe963f74cc7745c9e2751eeead547a4f371c6bdf107b733531b
                                                                                    • Opcode Fuzzy Hash: 9f8816eae51d1ef8645f2c854fc9413a862315e1931c598ab47cd0384c91a56a
                                                                                    • Instruction Fuzzy Hash: 30A19238905228CFCBA8DF70D94D698BBB6FF49306F5046E9D509A6310DB369E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7C81 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: acf2e5527471cc10f47c647fbdc02c3263e107c56f3bb4beb2e3ebc23946fd2a
                                                                                    • Instruction ID: 11fbb35385d95e31897469b6ca5567d2f0aad5975b94cb3f712c824eeb662ec6
                                                                                    • Opcode Fuzzy Hash: acf2e5527471cc10f47c647fbdc02c3263e107c56f3bb4beb2e3ebc23946fd2a
                                                                                    • Instruction Fuzzy Hash: CBA19138905228CFCBA8DB70D94D698BBB2FF49306F5046E9D509A6310DF3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7CC6 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 456e75c565a4fac3b3c92718e91ce3ee4cc4abec86aa775f8e50031c930390b9
                                                                                    • Instruction ID: 20ae4318496103018e51f3907fb1670f83d8cede25b12555304fe700aae5d3be
                                                                                    • Opcode Fuzzy Hash: 456e75c565a4fac3b3c92718e91ce3ee4cc4abec86aa775f8e50031c930390b9
                                                                                    • Instruction Fuzzy Hash: E4919138905228CFCBA8DB74D94D698BBB6FF49306F5046E9D509A6310CF3A9E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7D0B Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: e651bf6b18731206aa990493da716f11cefa3b6db967b03754e89036c82e252f
                                                                                    • Instruction ID: b788463e85969d2194520ce4e9dcd16743e77749828f719119b7648782a9f939
                                                                                    • Opcode Fuzzy Hash: e651bf6b18731206aa990493da716f11cefa3b6db967b03754e89036c82e252f
                                                                                    • Instruction Fuzzy Hash: D7919038905228CFCBA8DB74D94D698BBB6FF49306F5046EAD50DA6310CB369E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 059F7D53 Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 059F7D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570295722.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_59f0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: da3900b9153b4d35d5f91aa6a563679193095e03fd09c382bf187978a2620072
                                                                                    • Instruction ID: 48f87ffe65ce5eebf16117a3c96dd3191098d8ef94b9908ea09896e0d34122cb
                                                                                    • Opcode Fuzzy Hash: da3900b9153b4d35d5f91aa6a563679193095e03fd09c382bf187978a2620072
                                                                                    • Instruction Fuzzy Hash: 30819138905228CFCBA8DB74D94D698BBB6FF49306F5046EAD50DA6210CF369E81CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02BECBA4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 02BECC7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.564505273.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_2be0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: 4b16ff9681c14a80b94f221a30840fd1fd3915a0b308542f309fa6a8827b5ebd
                                                                                    • Instruction ID: 12d737e01357ac39bba6b7949cbf99b98e8c67b24e0afbe4562411506404dee0
                                                                                    • Opcode Fuzzy Hash: 4b16ff9681c14a80b94f221a30840fd1fd3915a0b308542f309fa6a8827b5ebd
                                                                                    • Instruction Fuzzy Hash: 423134B0E002498FDF14CFA9C98579EBFB1FB08314F14856AE816AB390D7789885CF95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02BEB000 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 02BECC7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.564505273.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_2be0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: ce96e8894063b9326a2e359c1ace17a84739acfdadd5ac0bb94cd69a9fec433e
                                                                                    • Instruction ID: 3430227f353066400c2a30252995eeb3306fbed097218f161893d641224cb5cb
                                                                                    • Opcode Fuzzy Hash: ce96e8894063b9326a2e359c1ace17a84739acfdadd5ac0bb94cd69a9fec433e
                                                                                    • Instruction Fuzzy Hash: B13132B0D002498FDF14DFA9C985B9EBFB1FB08314F14856AE816AB390D7789881CF95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 05EBB858 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 05EBFC71
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570623997.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_5eb0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: a6817f81811f693fc9d9f64236295bd84a2323647e97e88a6046f600618b542a
                                                                                    • Instruction ID: cc749e1b77bf311039639428995df38146feb69e92568db536930446c11a6fcc
                                                                                    • Opcode Fuzzy Hash: a6817f81811f693fc9d9f64236295bd84a2323647e97e88a6046f600618b542a
                                                                                    • Instruction Fuzzy Hash: 683100B1D00258DFDB20CF9AD984ADEBBF5BF48314F54842AE829AB310D7749845CF94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 05EBB84C Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 05EBF9B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.570623997.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_5eb0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID:
                                                                                    • API String ID: 71445658-0
                                                                                    • Opcode ID: 4a47cf9c6143f9701133315b0e63da012c1b03ba4be382bdcf30a9d1c355d41b
                                                                                    • Instruction ID: ee51a263473c31b7c69ac44169023162e70142ec7016e89aeed9610e2e4c8399
                                                                                    • Opcode Fuzzy Hash: 4a47cf9c6143f9701133315b0e63da012c1b03ba4be382bdcf30a9d1c355d41b
                                                                                    • Instruction Fuzzy Hash: DC31F2B1D002499FEB14CF99C584ACEFFF5BF48304F24856AE459AB301D7B59984CB94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02BE4F67 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 02BE4FF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.564505273.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_2be0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: EncodePointer
                                                                                    • String ID:
                                                                                    • API String ID: 2118026453-0
                                                                                    • Opcode ID: 6febff16e1df8cadec0adb8d806e48c8c05c5fbf9a986d84ac80b88163eb384b
                                                                                    • Instruction ID: 75890eb92ac64a2e3696a8bd04eda4e10751d20fdcdd904441ad62027e2db8fc
                                                                                    • Opcode Fuzzy Hash: 6febff16e1df8cadec0adb8d806e48c8c05c5fbf9a986d84ac80b88163eb384b
                                                                                    • Instruction Fuzzy Hash: 9A2179719013858FDF60CFA8C60839EBFF4FB09318F1588AAD40AA3641DB386545CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02BE4F78 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 02BE4FF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.564505273.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_2be0000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID: EncodePointer
                                                                                    • String ID:
                                                                                    • API String ID: 2118026453-0
                                                                                    • Opcode ID: 3b1e5105944b696ee190faf28e80b523f7723c089e1fef3c8e4bd74f9a114729
                                                                                    • Instruction ID: 05ba1cb275bb61dd497fdeabe178e55705774f27c52687f021bb1c790d54258e
                                                                                    • Opcode Fuzzy Hash: 3b1e5105944b696ee190faf28e80b523f7723c089e1fef3c8e4bd74f9a114729
                                                                                    • Instruction Fuzzy Hash: 78119A709003498FDF60DFA9C60878EBFF4FB09318F508469E40AA7640CB386945CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00D4E16A Relevance: .3, Instructions: 339COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.564079390.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_d4d000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6e697fb1a7ea8bcfc32fe42b0c090ac180193125c903804f2cdeaa85b55b19cb
                                                                                    • Instruction ID: 78cbebd6a32152f3e650b42d4aa437b6565eee9116d914b60443cf7533ce97f4
                                                                                    • Opcode Fuzzy Hash: 6e697fb1a7ea8bcfc32fe42b0c090ac180193125c903804f2cdeaa85b55b19cb
                                                                                    • Instruction Fuzzy Hash: 7081E8B28497C19FD7134B64CCA17817FB1AF53325F1E45EAC4C0CA2E3E22A9956C762
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00D4E3DC Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.564079390.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_d4d000_rdwREyLU2K.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf1930def503004c25cee0a6a1e1b83b8b08b1645e7c571dd65ff9b1bccf3bbf
                                                                                    • Instruction ID: 40d640b24b372f235f405ea046572fbc02d913b34346180d92ec7857c32f9864
                                                                                    • Opcode Fuzzy Hash: bf1930def503004c25cee0a6a1e1b83b8b08b1645e7c571dd65ff9b1bccf3bbf
                                                                                    • Instruction Fuzzy Hash: A2210475604204EFDB04CF64D5C4B26BB65FB88324F24C9A9D94D4B746C33AD84ACBB1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%