Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:828932
MD5:d442830fc92de9465d9bf425922173a5
SHA1:27eaed777470e6a9f855894b2af3c7baa1c812eb
SHA256:5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449
Tags:exe
Infos:

Detection

Aurora
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara Aurora Stealer
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Machine Learning detection for sample
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2284 cmdline: C:\Users\user\Desktop\file.exe MD5: D442830FC92DE9465D9BF425922173A5)
    • file.exe (PID: 4980 cmdline: C:\Users\user\Desktop\file.exe MD5: D442830FC92DE9465D9BF425922173A5)
    • file.exe (PID: 1092 cmdline: C:\Users\user\Desktop\file.exe MD5: D442830FC92DE9465D9BF425922173A5)
    • file.exe (PID: 1380 cmdline: C:\Users\user\Desktop\file.exe MD5: D442830FC92DE9465D9BF425922173A5)
      • WMIC.exe (PID: 5476 cmdline: wmic os get Caption MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3308 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 4072 cmdline: wmic path win32_VideoController get name MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • cmd.exe (PID: 4140 cmdline: cmd /C "wmic cpu get name" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 2324 cmdline: wmic cpu get name MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AuroraRansomware
  • Oktropys
https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora

Malware Configuration

Threatname: Aurora

{"C2 url": "138.201.198.8:8081"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AuroraYara Aurora StealerJoe Security
    00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AuroraYara Aurora StealerJoe Security
      Process Memory Space: file.exe PID: 2284JoeSecurity_AuroraYara Aurora StealerJoe Security
        Process Memory Space: file.exe PID: 1380JoeSecurity_AuroraYara Aurora StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.file.exe.400000.0.unpackJoeSecurity_AuroraYara Aurora StealerJoe Security
            3.2.file.exe.400000.0.raw.unpackJoeSecurity_AuroraYara Aurora StealerJoe Security
              0.2.file.exe.3f29930.1.unpackJoeSecurity_AuroraYara Aurora StealerJoe Security
                0.2.file.exe.3f29930.1.raw.unpackJoeSecurity_AuroraYara Aurora StealerJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:138.201.198.8192.168.2.58081496952043200 03/17/23-17:30:41.217735
                  SID:2043200
                  Source Port:8081
                  Destination Port:49695
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:138.201.198.8192.168.2.58081496952043199 03/17/23-17:30:40.120429
                  SID:2043199
                  Source Port:8081
                  Destination Port:49695
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:138.201.198.8192.168.2.58081496952043198 03/17/23-17:30:09.566708
                  SID:2043198
                  Source Port:8081
                  Destination Port:49695
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: file.exeReversingLabs: Detection: 30%
                  Source: file.exeVirustotal: Detection: 26%Perma Link
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: 138.201.198.8:8081Avira URL Cloud: Label: malware
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: 0.0.file.exe.760000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 0.2.file.exe.3f29930.1.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Aurora {"C2 url": "138.201.198.8:8081"}
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: ClassLibrary2.pdb source: file.exe, 00000000.00000002.420469142.0000000002F21000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\Jump to behavior

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2043198 ET TROJAN Win32/Aurora Stealer WORK Command 138.201.198.8:8081 -> 192.168.2.5:49695
                  Source: TrafficSnort IDS: 2043199 ET TROJAN Win32/Aurora Stealer Accept Command 138.201.198.8:8081 -> 192.168.2.5:49695
                  Source: TrafficSnort IDS: 2043200 ET TROJAN Win32/Aurora Stealer Thanks Command 138.201.198.8:8081 -> 192.168.2.5:49695
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 138.201.198.8:8081
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewIP Address: 138.201.198.8 138.201.198.8
                  Source: global trafficTCP traffic: 192.168.2.5:49695 -> 138.201.198.8:8081
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.198.8
                  Source: file.exe, 00000000.00000003.335401632.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334573096.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                  Source: file.exe, 00000000.00000003.334829707.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w8
                  Source: file.exe, 00000000.00000003.335401632.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335453965.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: file.exe, 00000000.00000002.420469142.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: file.exe, 00000000.00000003.356763762.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                  Source: file.exe, 00000000.00000003.352433854.000000000A4E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352321678.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352202056.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: file.exe, 00000000.00000003.352202056.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlM
                  Source: file.exe, 00000000.00000003.352106495.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlN
                  Source: file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: file.exe, 00000000.00000003.348937325.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com.
                  Source: file.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.343638348.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348709440.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comN
                  Source: file.exe, 00000000.00000003.349229151.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348937325.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349085304.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comU
                  Source: file.exe, 00000000.00000003.348937325.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348846391.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348709440.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.come
                  Source: file.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.343638348.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                  Source: file.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comvad
                  Source: file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: file.exe, 00000000.00000003.361055599.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: file.exe, 00000000.00000003.361055599.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers%
                  Source: file.exe, 00000000.00000003.355609403.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.355944492.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.355809605.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/N
                  Source: file.exe, 00000000.00000003.359703889.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: file.exe, 00000000.00000003.359703889.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
                  Source: file.exe, 00000000.00000003.358650609.000000000A4ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlN
                  Source: file.exe, 00000000.00000003.359132661.000000000A4E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358650609.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358838510.000000000A4E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359060111.000000000A4E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlf
                  Source: file.exe, 00000000.00000003.356763762.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                  Source: file.exe, 00000000.00000003.356763762.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersV
                  Source: file.exe, 00000000.00000003.375775911.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersl
                  Source: file.exe, 00000000.00000003.363887790.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363652022.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358838510.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358650609.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362252318.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363183458.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363357084.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360612532.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360357589.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363484404.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.364086987.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362877883.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: file.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comTTF
                  Source: file.exe, 00000000.00000003.355609403.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.355944492.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.355809605.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comU
                  Source: file.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362252318.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360612532.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360357589.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                  Source: file.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362252318.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360612532.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360357589.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362877883.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                  Source: file.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362252318.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363183458.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362877883.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                  Source: file.exe, 00000000.00000003.358838510.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358650609.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359242686.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359465150.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359132661.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
                  Source: file.exe, 00000000.00000003.357284781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357104255.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.356913548.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357747426.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357557215.000000000A4F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                  Source: file.exe, 00000000.00000003.376303300.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.376041354.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.375775911.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comic
                  Source: file.exe, 00000000.00000003.376303300.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.376041354.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.375775911.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                  Source: file.exe, 00000000.00000003.356763762.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357284781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358838510.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358650609.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357104255.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.356913548.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359132661.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359703889.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                  Source: file.exe, 00000000.00000003.359703889.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comq
                  Source: file.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360612532.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360357589.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362877883.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsief7
                  Source: file.exe, 00000000.00000003.355609403.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtoTF
                  Source: file.exe, 00000000.00000003.376303300.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.376041354.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.375775911.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.375552913.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueom
                  Source: file.exe, 00000000.00000003.335065058.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335116048.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334886028.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334925970.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: file.exe, 00000000.00000003.335065058.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335116048.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335249316.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334925970.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com(#L
                  Source: file.exe, 00000000.00000003.334925970.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comicp
                  Source: file.exe, 00000000.00000003.334886028.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comy
                  Source: file.exe, 00000000.00000003.338040406.000000000A4DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: file.exe, 00000000.00000003.338360021.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.340443926.000000000A4EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: file.exe, 00000000.00000003.337279918.000000000A4E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337064048.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337208191.000000000A4E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/)
                  Source: file.exe, 00000000.00000003.348937325.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.343164747.000000000A4E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.340900815.000000000A4E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.342755137.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.338040406.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.341218771.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348846391.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.338360021.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.340443926.000000000A4EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.343638348.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348709440.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
                  Source: file.exe, 00000000.00000003.337794063.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cni-f
                  Source: file.exe, 00000000.00000003.337794063.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
                  Source: file.exe, 00000000.00000003.337962891.000000000A4EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337794063.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                  Source: file.exe, 00000000.00000003.366292013.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                  Source: file.exe, 00000000.00000003.366292013.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.366739703.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.366292013.000000000A4F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.366497870.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.367006125.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.366497870.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: file.exe, 00000000.00000003.337591527.000000000A4E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337485839.000000000A4E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337279918.000000000A4E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337064048.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337407744.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337208191.000000000A4E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337545124.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.336953413.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: file.exe, 00000000.00000003.336371363.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.itcfonts.
                  Source: file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.353556246.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352570967.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349713716.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349501543.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%
                  Source: file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
                  Source: file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352416154.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352202056.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352321678.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
                  Source: file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
                  Source: file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349713716.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349501543.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
                  Source: file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
                  Source: file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                  Source: file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352416154.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352202056.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352321678.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0o
                  Source: file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
                  Source: file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                  Source: file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                  Source: file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                  Source: file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ueL
                  Source: file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vaC
                  Source: file.exe, 00000000.00000003.336531465.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                  Source: file.exe, 00000000.00000003.334456986.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334315119.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334261151.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: file.exe, 00000000.00000003.334407976.000000000A4E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334456986.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comatiD
                  Source: file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comd
                  Source: file.exe, 00000000.00000003.334407976.000000000A4E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334456986.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comdec
                  Source: file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comelp
                  Source: file.exe, 00000000.00000003.334407976.000000000A4E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334456986.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coment
                  Source: file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comuma
                  Source: file.exe, 00000000.00000003.352106495.000000000A4E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: file.exe, 00000000.00000003.336953413.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: file.exe, 00000000.00000003.336818877.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr;
                  Source: file.exe, 00000000.00000003.337064048.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.336953413.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krR
                  Source: file.exe, 00000000.00000003.336818877.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.336953413.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krormalY
                  Source: file.exe, 00000000.00000003.340443926.000000000A4EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349085304.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: file.exe, 00000000.00000003.336283100.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com#
                  Source: file.exe, 00000000.00000003.335535000.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
                  Source: file.exe, 00000000.00000003.335401632.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335453965.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netr
                  Source: file.exe, 00000000.00000003.355239770.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: file.exe, 00000000.00000003.343164747.000000000A4E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: jQZLCtTMtT.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: jQZLCtTMtT.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: jQZLCtTMtT.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: file.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: jQZLCtTMtT.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: file.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: file.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                  Source: file.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                  Source: file.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                  Source: file.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: file.exe, 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ()<>@,;:\"/[]?=,M3.2.0,M11.1.0476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryC:\Windows.old\CLSIDFromStringCallWindowProcWCreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDialogBoxParamWDragAcceptFilesDrawThemeTextExDuplicateHandleExcludeClipRectFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGdiplusShutdownGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleHanifi_RohingyaImpersonateSelfInsertMenuItemWIsWindowEnabledIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLiqualityWalletLoadLibraryExA
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143A2A80_2_0143A2A8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143BE0C0_2_0143BE0C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143A1500_2_0143A150
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143EC100_2_0143EC10
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143CF500_2_0143CF50
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04F666140_2_04F66614
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04F666180_2_04F66618
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_054C9F4B0_2_054C9F4B
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_054CC6210_2_054CC621
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004380C03_2_004380C0
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004484A03_2_004484A0
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0044B7303_2_0044B730
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0042D8403_2_0042D840
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00419A543_2_00419A54
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00413E703_2_00413E70
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00414EA03_2_00414EA0
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00414F693_2_00414F69
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 004376F0 appears 423 times
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00439880 appears 459 times
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00464EC0 SetWaitableTimer,SetWaitableTimer,NtWaitForSingleObject,3_2_00464EC0
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00464E80 NtWaitForSingleObject,3_2_00464E80
                  Source: file.exe, 00000000.00000000.308648810.0000000000C16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamescanui.exeJ vs file.exe
                  Source: file.exe, 00000000.00000002.420469142.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClassLibrary2.dll< vs file.exe
                  Source: file.exeBinary or memory string: OriginalFilenamescanui.exeJ vs file.exe
                  Source: file.exeReversingLabs: Detection: 30%
                  Source: file.exeVirustotal: Detection: 26%
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "wmic path win32_VideoController get name"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "wmic cpu get name"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get CaptionJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "wmic path win32_VideoController get name"Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "wmic cpu get name"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get nameJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\XVlBzgbaiCJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/9@0/1
                  Source: EFfRsWxPLD.3.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_01
                  Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\????????????
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_01
                  Source: file.exeString found in binary or memory: {91bc9a05-58a7-4042-adda-4ff3bd023d74}
                  Source: file.exeString found in binary or memory: .cctor.ctorEventArgsCreateMemberRefsDelegatestypeIDCreateGetStringDelegateownerTypeobjectmethodiBeginInvokeIAsyncResultAsyncCallbackcallbackEndInvokeresultResolveEventArgsAppDomainBitmapMoveFileExkernel32DefaultIsWebApplicationOnCreateMainFormCompilationRelaxationsAttributeRuntimeCompatibilityAttributeDebuggableAttributeSystem.DiagnosticsDebuggingModesAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeAssemblyFileVersionAttributeNeutralResourcesLanguageAttributeTargetFrameworkAttributeSystem.Runtime.VersioningSuppressIldasmAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerEditorBrowsableAttributeEditorBrowsableStateDebuggerNonUserCodeAttributeCompilerGeneratedAttributeAttributeUsageAttributeAttributeTargetsThreadStaticAttributeSTAThreadAttribute{dd653afa-5511-476b-a66e-b09f77e47dda}{91bc9a05-58a7-4042-adda-4ff3bd023d74}AuthenticationModeset_IsSingleInstanceset_EnableVisualStylesset_SaveMySettingsOnExitset_ShutdownStyleShutdownModeget_IsDisposedUtilsGetResourceStringInvalidOperationExceptionActivatorTargetInvocationExceptionget_InnerExceptionget_MessageRemoveContainsKeyEventHandleradd_LoadOperatorsAddObjectConversionsByteToLowerProcessGetCurrentProcessget_MainModuleProcessModuleget_ModuleNameStringBuilderAppendop_InequalityEmptyCharSplitTrimStartsWithSubstringResolveTypeHandleGetFieldsFieldInfoBindingFlagsget_CharsResolveMethodHandleRuntimeMethodHandleGetMethodFromHandleget_IsStaticget_FieldTypeDelegateCreateDelegateGetParametersParameterInfoget_ParameterTypeget_ReturnTypeDynamicMethodSystem.Reflection.EmitGetILGeneratorILGeneratorOpCodesLdarg_0OpCodeEmitLdarg_1Ldarg_2Ldarg_3Ldarg_STailcallCallCallvirtRetSetValueGetModulesModuleget_ModuleHandleInitializeArrayRuntimeFieldHandleInt32get_ModuleGetMethodsLdc_I4get_MetadataTokenSubResolveEventHandlerget_CurrentDomainadd_ResourceResolveGetManifestResourceNamesStackFrameGetMethodStackTraceGetFramesInt16add_AssemblyResolveToBase64StringIndexOfget_ItemPathGetTempPathFormatDirectoryCreateDirectoryDirectoryInfoConcatFileExistsOpenWriteFileStreamWriteLoadFileset_ItemFileLoadExceptionBadImageFormatExceptionTryGetValueCreateEncryptorDESCryptoServiceProviderRijndaelManagedReadByteMD5CryptoServiceProviderFormatExceptionget_PositionGetCallingAssemblyArgumentOutOfRangeExceptionMathMin
                  Source: file.exeString found in binary or memory: 75M{91bc9a05-58a7-4042-adda-4ff3bd023d74}
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: file.exeStatic file information: File size 5018112 > 1048576
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x471800
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: ClassLibrary2.pdb source: file.exe, 00000000.00000002.420469142.0000000002F21000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04F61454 push ecx; ret 0_2_04F61455
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_054C7541 push 60054898h; ret 0_2_054C754D
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_054CD4ED push ss; ret 0_2_054CD4F3
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0042F17E pushfd ; ret 3_2_0042F17F
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0042F35B pushfd ; ret 3_2_0042F35C
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0041853A pushfd ; ret 3_2_0041853B
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004357E4 pushfd ; retn 006Bh3_2_004357E5
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0041FEA4 pushfd ; ret 3_2_0041FEA5
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 4416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004640F0 rdtsc 3_2_004640F0
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
                  Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00433690 GetProcessAffinityMask,GetSystemInfo,3_2_00433690
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004640F0 rdtsc 3_2_004640F0
                  Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0044A4E0 RtlAddVectoredExceptionHandler,SetUnhandledExceptionFilter,3_2_0044A4E0

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get CaptionJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "wmic path win32_VideoController get name"Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C "wmic cpu get name"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get nameJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\XVlBzgbaiC VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MRAjWwhTHctcuAxhxKQFDaFpLSjFbcXo VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\EFfRsWxPLD VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\zpfRFEgmot VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\aFetHsbZRjxAwnwekrBEmfdzdcEkXBAk VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jQZLCtTMtT VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CoaNatyyiNKAReKJyiXJrscctNswYNsG VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\History VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RussVmaozF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\LocalCache VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ZBsbOJiFQG VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ZsnwTKSmVo VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\LocalCache VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temporary Internet Files VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\History VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\LocalCache VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\LocalCache VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temporary Internet Files VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\History VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temporary Internet Files VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara Aurora Stealer
                  Source: Yara matchFile source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3f29930.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3f29930.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 2284, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 1380, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: file.exe, 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: text= zombie#PANIC#% CPU ((PANIC=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625:method:scheme:statusAvestanBengaliBrailleBrowserCaptionChanDirConvertCookiesCopySidCreatedCypriotDeseretElbasanEllipseElymaicEndPageFillRgnFireFoxFreeSidGODEBUGGranthaHEADERSHanunooHistoryIM UsedIO waitIridiumIsChildJanuaryK-MelonKannadaMUI_DltMUI_StdMail.RuMakasarMandaicMarchenMozillaMultaniMyanmarNRGBA64OctoberOrbitumOsmanyaPATHEXTPhantomProfileRadicalSHA-224SHA-256SHA-384SHA-512SetMenuSetRectSharadaShavianSiddhamSinhalaSleepExSogdianSoyomboSputnikSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUNKNOWNVivaldiWSARecvWSASendtypes value=abortedcharsetconnectconsolecpuprofexpiresfloat32float64forcegcgctracehead = http://i < capi < leniWalletinvalidlookup minpc= nil keynumber pacer: panic: pdh.dllreaddirrefererrefreshrunningsignal syscalluintptrunknownutf-8''waitingwsarecvwsasend bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AbortDocAcceptExAcceptedArmenianBalineseBopomofoBugineseCancelIoCherokeeChromiumChromodoClassANYCoinbaseConflictContinueCyrillicDecemberDeleteDCDuployanElectrumEndPaintEqualSidEthereumEthiopicExtenderFebruaryFullPathGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHiraganaIsIconicIsWindowIsZoomedJavaneseK-MeleonKatakanaKayah_LiLinear_ALinear_BMD5+SHA1MahajaniMaxthon3MetamaskMoveToExNO_ERRORNO_PROXYNichromeNovemberOl_ChikiPRIORITYPalettedParseIntPasswordPhags_PaPolylineQIP SurfQuestionReadFileResetDCWSETTINGSSHA3-224SHA3-256SHA3-384SHA3-512SaturdaySetEventSetFocusSetPixelSetTimerStart tgTagbanwaTai_ThamTai_VietTelegramTextOutWThursdayTifinaghTronlinkTypeAAAATypeAXFRUgariticWSAIoctlWaterfoxWeb Data[:word:][signal \Desktopstack=[
                  Source: file.exe, 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: m=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfunchosthourhttpicmpidleigmpint8itabjaxxjsonkindlinkmap[nonenullopenpathpipepop3profquitreadrootsbrksmtpsse3tRNStcp4tcp6trueudp4uintunixvarywmicxn-- ...
                  Source: file.exe, 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared librarycompressed name in SRV resource dataedwards25519: invalid point encodinghttp: no Location header in responsehttp: unexpected EOF reading trailerjson: encoding error for type %q: %qkey size not a multiple of key alignmethod ABI and value ABI don't alignreflect: NumField of non-struct typeruntime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18strings.Builder.Grow: negative countsyntax error scanning complex numberuncaching span but s.allocCount == 0) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications\AppData\Roaming\Exodus\exodus.wallet_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!bytes.Buffer: truncation out of rangecannot create context from nil parentcannot exec a shared library directlycipher: message authentication failedcrypto/rsa: public exponent too largecrypto/rsa: public exponent too smallcrypto: Size of unknown hash functionfailed to reserve page summary memorygzip.Write: non-Latin-1 header stringinternal error: unknown network type logWorkTime: unknown mark worker modemethod ABI and value ABI do not alignreflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-rune slicereflect.Value.Convert: value of type reflect: Bits of non-arithmetic Type reflect: NumField of non-struct type reflect: funcLayout of non-func type runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)value too large for defined data type1110223024625156540423631668090820312555511151231257827021181583404541015625Unable to determine system directory: addtimer called with initialized timerafter decimal point in numeric literalarg size to reflect.call more than 1GBcan not access a needed shared libraryconcurrent map iteration and map writeelem size not a multiple of elem alignencoding alphabet is not 64-bytes longgcBgMarkWorker: blackening not enabledinsufficient data for base length typem changed unexpectedly in cgocallbackgmakechan: invalid channel element typemime: expected slash after first tokenruntime: blocked read on free polldescruntime: sudog with non-false isSelecttime: missing Location in call to Datetls: invalid ClientKeyExchange messagetls: invalid ServerKeyExchange messageunreachable method called. linker bug?zip: unsupported compression algorithm2006-01-
                  Source: file.exeString found in binary or memory: _PointSetFileCompletionNotificationModesVirtualQuery for stack base failed\AppData\Roaming\Ethereum\keystorecrypto/rsa: missing public modulusdoaddtimer: P already set in timerforEachP: sched.safePointWait != 0frame_settings_window_size_too_bigframe_windowupda
                  Source: file.exe, 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: , i = , not , val 390625<-chanAnswerArabicArmoryAugustBitBltBrahmiCANCELCarianChakmaChedotCocCocCommonComodoCookieCoowonCopticCryptoEndDocExodusExpectFolderFormatFridayGOAWAYGOROOTGetACPGoogleGothicGray16GuardaHangulHatranHebrewHyphenKaithiKhojkiKometaLepchaLineToLockedLycianLydianMondayMulDivOxygenPADDEDPragmaRGBA64RejangSCHED STREETSaveDCStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoWombatYandexYezidi[]byte\ufffd^user^acceptactiveatomicchan<-closedcookiedomainefenceexec: expectgopherhangupheaderinternip+netkilledliebaolistenlogs//logs\\minutenumberobjectpopcntrdtscpremovesecondselectsendtoserversocketsocks5stringstructsweep sysmontelnettimersuint16uint32uint64unused (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
                  Source: file.exe, 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: text= zombie#PANIC#% CPU ((PANIC=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625:method:scheme:statusAvestanBengaliBrailleBrowserCaptionChanDirConvertCookiesCopySidCreatedCypriotDeseretElbasanEllipseElymaicEndPageFillRgnFireFoxFreeSidGODEBUGGranthaHEADERSHanunooHistoryIM UsedIO waitIridiumIsChildJanuaryK-MelonKannadaMUI_DltMUI_StdMail.RuMakasarMandaicMarchenMozillaMultaniMyanmarNRGBA64OctoberOrbitumOsmanyaPATHEXTPhantomProfileRadicalSHA-224SHA-256SHA-384SHA-512SetMenuSetRectSharadaShavianSiddhamSinhalaSleepExSogdianSoyomboSputnikSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUNKNOWNVivaldiWSARecvWSASendtypes value=abortedcharsetconnectconsolecpuprofexpiresfloat32float64forcegcgctracehead = http://i < capi < leniWalletinvalidlookup minpc= nil keynumber pacer: panic: pdh.dllreaddirrefererrefreshrunningsignal syscalluintptrunknownutf-8''waitingwsarecvwsasend bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AbortDocAcceptExAcceptedArmenianBalineseBopomofoBugineseCancelIoCherokeeChromiumChromodoClassANYCoinbaseConflictContinueCyrillicDecemberDeleteDCDuployanElectrumEndPaintEqualSidEthereumEthiopicExtenderFebruaryFullPathGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHiraganaIsIconicIsWindowIsZoomedJavaneseK-MeleonKatakanaKayah_LiLinear_ALinear_BMD5+SHA1MahajaniMaxthon3MetamaskMoveToExNO_ERRORNO_PROXYNichromeNovemberOl_ChikiPRIORITYPalettedParseIntPasswordPhags_PaPolylineQIP SurfQuestionReadFileResetDCWSETTINGSSHA3-224SHA3-256SHA3-384SHA3-512SaturdaySetEventSetFocusSetPixelSetTimerStart tgTagbanwaTai_ThamTai_VietTelegramTextOutWThursdayTifinaghTronlinkTypeAAAATypeAXFRUgariticWSAIoctlWaterfoxWeb Data[:word:][signal \Desktopstack=[
                  Source: file.exe, 00000000.00000002.420469142.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\IconsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing NetworkJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\IconsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\CacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MonochromeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgiclJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\IconsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldoomlJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dirJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MonochromeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History\Opera Stable\Local StateJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MaskableJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MaskableJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data\Opera Stable\Local StateJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibagJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code CacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\jsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session StorageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\Opera Stable\Local StateJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\a776be69-4c6f-4cdc-86d3-b25c3319b53eJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MaskableJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MonochromeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform NotificationsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MonochromeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MaskableJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local StorageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MonochromeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MonochromeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data\Opera Stable\Local StateJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dirJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\defJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\IconsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\IconsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasmJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfakJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\IconsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MaskableJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform NotificationsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform NotificationsJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldbJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MaskableJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior

                  Remote Access Functionality

                  barindex
                  Yara Aurora Stealer
                  Source: Yara matchFile source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3f29930.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3f29930.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 2284, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 1380, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts11
                  Windows Management Instrumentation                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		2
                  Security Software Discovery                  		Remote Services11
                  Input Capture                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		11
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares2
                  Data from Local System                  		Automated Exfiltration1
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS1
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets14
                  System Information Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information                  		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Software Packing                  		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 828932 Sample: file.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 5 other signatures 2->46 8 file.exe 3 2->8         started        process3 file4 36 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->36 dropped 48 Injects a PE file into a foreign processes 8->48 12 file.exe 11 8->12         started        16 file.exe 8->16         started        18 file.exe 8->18         started        signatures5 process6 dnsIp7 38 138.201.198.8, 49695, 8081 HETZNER-ASDE Germany 12->38 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        24 WMIC.exe 1 12->24         started        signatures8 process9 process10 26 WMIC.exe 1 20->26         started        28 conhost.exe 20->28         started        30 WMIC.exe 1 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe31%ReversingLabsByteCode-MSIL.Trojan.Generic
                  file.exe26%VirustotalBrowse
                  file.exe100%AviraTR/Dropper.Gen
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.0.file.exe.760000.0.unpack100%AviraTR/Dropper.GenDownload File
                  3.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  0.2.file.exe.3f29930.1.unpack100%AviraTR/Patched.Ren.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.sandoll.co.kr;0%Avira URL Cloudsafe
                  http://www.fontbureau.comTTF0%URL Reputationsafe
                  http://www.fontbureau.comessed0%URL Reputationsafe
                  http://www.fontbureau.comalsF0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.founder.com.cn/cnl-g0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.itcfonts.0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/%0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.tiro.com#0%URL Reputationsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  http://www.galapagosdesign.com/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                  http://www.carterandcone.come0%URL Reputationsafe
                  http://www.fontbureau.comic0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/J0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
                  http://www.fontbureau.come.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
                  http://en.w0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.fontbureau.comoitu0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                  http://www.fontbureau.comals0%URL Reputationsafe
                  http://www.founder.com.cn/cnN0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/J0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com.0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.typography.net0%URL Reputationsafe
                  http://www.founder.com.cn/cnt0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.htmlM0%Avira URL Cloudsafe
                  http://www.sandoll.co.krR0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/vaC0%Avira URL Cloudsafe
                  http://www.ascendercorp.com/typedesigners.htmlN0%Avira URL Cloudsafe
                  http://www.carterandcone.comvad0%Avira URL Cloudsafe
                  http://www.fontbureau.comsief70%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/ueL0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://en.w80%Avira URL Cloudsafe
                  http://www.sajatypeworks.comdec0%Avira URL Cloudsafe
                  http://www.carterandcone.comU0%URL Reputationsafe
                  http://www.sajatypeworks.comd0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.carterandcone.comN0%URL Reputationsafe
                  http://www.typography.netr0%Avira URL Cloudsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.agfamonotype.0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Y0o0%Avira URL Cloudsafe
                  138.201.198.8:8081100%Avira URL Cloudmalware
                  http://www.fontbureau.comU0%URL Reputationsafe
                  http://www.sandoll.co.krormalY0%Avira URL Cloudsafe
                  http://www.fonts.comicp0%Avira URL Cloudsafe
                  http://www.sajatypeworks.comatiD0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/oi0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.fontbureau.coma0%URL Reputationsafe
                  http://www.sajatypeworks.coment0%Avira URL Cloudsafe
                  http://www.sajatypeworks.comuma0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.comtoTF0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cni-f0%URL Reputationsafe
                  http://www.fontbureau.comq0%URL Reputationsafe
                  http://www.monotype.0%URL Reputationsafe
                  http://www.fonts.comy0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.fontbureau.como0%URL Reputationsafe
                  http://www.sajatypeworks.comelp0%Avira URL Cloudsafe
                  http://www.fonts.com(#L0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/)0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  138.201.198.8:8081true
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.sandoll.co.kr;file.exe, 00000000.00000003.336818877.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  https://duckduckgo.com/chrome_newtabfile.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drfalse
                    		high
                    https://duckduckgo.com/ac/?q=jQZLCtTMtT.3.drfalse
                      		high
                      http://www.ascendercorp.com/typedesigners.htmlMfile.exe, 00000000.00000003.352202056.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.ascendercorp.com/typedesigners.htmlNfile.exe, 00000000.00000003.352106495.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/vaCfile.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comsief7file.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360612532.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360357589.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362877883.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersfile.exe, 00000000.00000003.361055599.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comTTFfile.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comessedfile.exe, 00000000.00000003.357284781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357104255.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.356913548.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357747426.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357557215.000000000A4F9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comalsFfile.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362252318.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363183458.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362877883.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comfile.exe, 00000000.00000003.334456986.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334315119.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334261151.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnl-gfile.exe, 00000000.00000003.337794063.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sandoll.co.krRfile.exe, 00000000.00000003.337064048.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.336953413.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlNfile.exe, 00000000.00000003.358650609.000000000A4ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.ascendercorp.com/typedesigners.htmlfile.exe, 00000000.00000003.352433854.000000000A4E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352321678.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352202056.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.itcfonts.file.exe, 00000000.00000003.336371363.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/%file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349713716.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349501543.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/ueLfile.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cnfile.exe, 00000000.00000003.343164747.000000000A4E2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.com#file.exe, 00000000.00000003.336283100.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.420469142.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.carterandcone.como.file.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.343638348.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comvadfile.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/file.exe, 00000000.00000003.366292013.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Ufile.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comefile.exe, 00000000.00000003.348937325.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348846391.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348709440.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlffile.exe, 00000000.00000003.359132661.000000000A4E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358650609.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358838510.000000000A4E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359060111.000000000A4E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comicfile.exe, 00000000.00000003.376303300.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.376041354.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.375775911.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Ofile.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Nfile.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349713716.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349501543.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Jfile.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=jQZLCtTMtT.3.drfalse
                                		high
                                http://www.jiyu-kobo.co.jp/Cfile.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352416154.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352202056.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352321678.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.come.comfile.exe, 00000000.00000003.358838510.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358650609.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359242686.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359465150.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359132661.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/?file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=file.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drfalse
                                  		high
                                  http://en.wfile.exe, 00000000.00000003.335401632.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334573096.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/file.exe, 00000000.00000003.338360021.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.340443926.000000000A4EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comoitufile.exe, 00000000.00000003.356763762.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357284781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358838510.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358650609.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.357104255.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.356913548.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359132661.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.359703889.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/qfile.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/kfile.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comdecfile.exe, 00000000.00000003.334407976.000000000A4E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334456986.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comalsfile.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362252318.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360612532.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360357589.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362877883.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://en.w8file.exe, 00000000.00000003.334829707.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.typography.netrfile.exe, 00000000.00000003.335401632.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335453965.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sandoll.co.krormalYfile.exe, 00000000.00000003.336818877.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.336953413.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cnNfile.exe, 00000000.00000003.348937325.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.343164747.000000000A4E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.340900815.000000000A4E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.342755137.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.338040406.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.341218771.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348846391.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.338360021.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.340443926.000000000A4EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.343638348.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348709440.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comatiDfile.exe, 00000000.00000003.334407976.000000000A4E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334456986.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/Jfile.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comicpfile.exe, 00000000.00000003.334925970.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://search.yahoo.com?fr=crmas_sfpffile.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drfalse
                                    		high
                                    http://www.tiro.comfile.exe, 00000000.00000003.340443926.000000000A4EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349085304.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersVfile.exe, 00000000.00000003.356763762.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/Nfile.exe, 00000000.00000003.355609403.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.355944492.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.355809605.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krfile.exe, 00000000.00000003.337591527.000000000A4E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337485839.000000000A4E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337279918.000000000A4E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337064048.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337407744.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337208191.000000000A4E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337545124.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.336953413.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comfile.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comentfile.exe, 00000000.00000003.334407976.000000000A4E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334456986.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.com.file.exe, 00000000.00000003.348937325.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmfile.exe, 00000000.00000003.366292013.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.366739703.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.366292013.000000000A4F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.366497870.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.367006125.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.366497870.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comfile.exe, 00000000.00000003.335401632.000000000A4DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335453965.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designerslfile.exe, 00000000.00000003.375775911.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/Y0ofile.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352416154.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352202056.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352321678.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.typography.netfile.exe, 00000000.00000003.335535000.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cntfile.exe, 00000000.00000003.337962891.000000000A4EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337794063.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.comfile.exe, 00000000.00000003.335065058.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335116048.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334886028.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334925970.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krfile.exe, 00000000.00000003.336953413.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comUfile.exe, 00000000.00000003.349229151.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348937325.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349085304.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sajatypeworks.comdfile.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.defile.exe, 00000000.00000003.355239770.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sajatypeworks.comumafile.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sakkal.comfile.exe, 00000000.00000003.352106495.000000000A4E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comtoTFfile.exe, 00000000.00000003.355609403.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fonts.comyfile.exe, 00000000.00000003.334886028.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comNfile.exe, 00000000.00000003.346982913.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.343638348.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348709440.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.348519834.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comfile.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comFfile.exe, 00000000.00000003.363887790.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363652022.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358838510.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358650609.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362252318.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363183458.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363357084.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360612532.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360357589.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.363484404.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.364086987.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362877883.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.agfamonotype.file.exe, 00000000.00000003.356763762.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drfalse
                                                		high
                                                https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchfile.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drfalse
                                                  		high
                                                  http://www.fontbureau.comUfile.exe, 00000000.00000003.355609403.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.355944492.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.355809605.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/oifile.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlefile.exe, 00000000.00000003.359703889.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/jp/file.exe, 00000000.00000003.351870436.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352106495.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351422934.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351968972.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.350669718.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comafile.exe, 00000000.00000003.361390614.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360858053.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362252318.000000000A4F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358246722.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360612532.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.362042227.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.360357589.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361758781.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.361055599.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.358424688.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sajatypeworks.comelpfile.exe, 00000000.00000003.334493619.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=jQZLCtTMtT.3.drfalse
                                                      		high
                                                      https://search.yahoo.com?fr=crmas_sfpfile.exe, 00000003.00000003.444161760.000000001202B000.00000004.00001000.00020000.00000000.sdmp, jQZLCtTMtT.3.drfalse
                                                        		high
                                                        http://www.founder.com.cn/cnfile.exe, 00000000.00000003.338040406.000000000A4DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fonts.com(#Lfile.exe, 00000000.00000003.335065058.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335116048.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.335249316.000000000A4E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.334925970.000000000A4E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.founder.com.cn/cni-ffile.exe, 00000000.00000003.337794063.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlfile.exe, 00000000.00000003.359703889.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comqfile.exe, 00000000.00000003.359703889.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.monotype.file.exe, 00000000.00000003.336531465.000000000A4E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers%file.exe, 00000000.00000003.361055599.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/file.exe, 00000000.00000003.351984660.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.353556246.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.352570967.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.349973673.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.comofile.exe, 00000000.00000003.376303300.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.376041354.000000000A4F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.375775911.000000000A4F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cn/)file.exe, 00000000.00000003.337279918.000000000A4E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337064048.000000000A4E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.337208191.000000000A4E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers:file.exe, 00000000.00000003.356763762.000000000A4F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              138.201.198.8
                                                              		unknownGermany
                                                              		24940HETZNER-ASDEtrue

                                                              General Information

                                                              Joe Sandbox Version:37.0.0 Beryl
                                                              Analysis ID:828932
                                                              Start date and time:2023-03-17 17:28:19 +01:00
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 5s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:14
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample file name:file.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@20/9@0/1
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HDC Information:
                                                              • Successful, ratio: 89.4% (good quality ratio 48.1%)
                                                              • Quality average: 39.5%
                                                              • Quality standard deviation: 41.9%
                                                              HCA Information:
                                                              • Successful, ratio: 99%
                                                              • Number of executed functions: 32
                                                              • Number of non-executed functions: 8
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Stop behavior analysis, all processes terminated

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              17:30:09API Interceptor3x Sleep call for process: WMIC.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              138.201.198.8file.exeGet hashmaliciousAurora, DanaBot, RedLine, SmokeLoader, StealcBrowse
                                                                aILr0rVvoA.exeGet hashmaliciousAurora, DanaBot, SmokeLoader, StealcBrowse
                                                                  o9yHH9sxKX.exeGet hashmaliciousAurora, DanaBot, RedLine, SmokeLoader, StealcBrowse
                                                                    file.exeGet hashmaliciousAurora, RedLineBrowse
                                                                      SCEgQWi3D9.exeGet hashmaliciousAurora, RedLine, SmokeLoader, Stealc, VidarBrowse
                                                                        SecuriteInfo.com.Win32.CrypterX-gen.28896.28730.exeGet hashmaliciousAurora, RedLine, SmokeLoaderBrowse
                                                                          KXNnA9XF2X.exeGet hashmaliciousAuroraBrowse
                                                                            r6HCXXcjBo.exeGet hashmaliciousAurora, RedLine, SmokeLoaderBrowse
                                                                              MrlNkx5wSj.exeGet hashmaliciousAurora, RedLine, SmokeLoaderBrowse
                                                                                zwAtMOSGvE.exeGet hashmaliciousAurora, RedLine, SmokeLoaderBrowse
                                                                                  file.exeGet hashmaliciousAurora, RedLine, SmokeLoaderBrowse
                                                                                    tXuIoDrqYw.exeGet hashmaliciousLimeRAT, RedLineBrowse
                                                                                      D2MMAYEwZi.exeGet hashmaliciousRedLineBrowse
                                                                                        RRYw02YctR.exeGet hashmaliciousRedLineBrowse

                                                                                          Domains

                                                                                          No context

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          HETZNER-ASDEsetup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                          • 116.203.13.130
                                                                                          setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                          • 116.203.13.130
                                                                                          setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                          • 116.203.13.130
                                                                                          Form - 16 Mar, 2023.oneGet hashmaliciousEmotetBrowse
                                                                                          • 95.217.221.146
                                                                                          ccdc 5b contract explained 17361.jsGet hashmaliciousUnknownBrowse
                                                                                          • 188.40.17.102
                                                                                          Vero.htmlGet hashmaliciousHtmlDropperBrowse
                                                                                          • 195.201.55.155
                                                                                          file.exeGet hashmaliciousRedLineBrowse
                                                                                          • 135.181.173.163
                                                                                          file.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                          • 116.203.13.130
                                                                                          dot_net_crypted.exeGet hashmaliciousVidarBrowse
                                                                                          • 49.12.239.21
                                                                                          setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                          • 116.203.13.130
                                                                                          file.exeGet hashmaliciousAurora, DanaBot, RedLine, SmokeLoader, StealcBrowse
                                                                                          • 138.201.198.8
                                                                                          Voicemail sound attachment.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 178.63.52.51
                                                                                          aILr0rVvoA.exeGet hashmaliciousAurora, DanaBot, SmokeLoader, StealcBrowse
                                                                                          • 138.201.198.8
                                                                                          o9yHH9sxKX.exeGet hashmaliciousAurora, DanaBot, RedLine, SmokeLoader, StealcBrowse
                                                                                          • 138.201.198.8
                                                                                          kwari.x86.elfGet hashmaliciousMiraiBrowse
                                                                                          • 144.79.65.18
                                                                                          D0C93848394-Spodogenic.vbsGet hashmaliciousRemcosBrowse
                                                                                          • 94.130.249.123
                                                                                          MBQ24253060297767042_202303161424.oneGet hashmaliciousEmotetBrowse
                                                                                          • 95.217.221.146
                                                                                          iMedPub_LTD_4.oneGet hashmaliciousEmotetBrowse
                                                                                          • 95.217.221.146
                                                                                          iMedPub_LTD_6.oneGet hashmaliciousEmotetBrowse
                                                                                          • 95.217.221.146
                                                                                          INNOVINC.oneGet hashmaliciousEmotetBrowse
                                                                                          • 95.217.221.146

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1314
                                                                                          Entropy (8bit):5.350128552078965
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                          Malicious:true
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                          C:\Users\user\AppData\Local\Temp\CoaNatyyiNKAReKJyiXJrscctNswYNsG

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):333122
                                                                                          Entropy (8bit):6.0166085054822025
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:AXNyTOpBmAh4A8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dBt:AyT6BmAeVxzurRDn9nfNxF4ijZVtilBt
                                                                                          MD5:FC9350304206BCAE11EDC5F911EFEA92
                                                                                          SHA1:0AFC39D86BAF4F1C510D00B5817A677D760FACE2
                                                                                          SHA-256:7A135CC412FA4152B39EBCAED8817B903DA7968DBAABD6FE657A3A3B5F5D88E1
                                                                                          SHA-512:A327BD0D57B7D7395A0FC8F742D738FB38C0BB9899A116D5C90061B3998762E9B7660A631A2C25ECAC4968A4DCBB2EF0033BA6A2C2477CF7DD15D0C933C7A3F8
                                                                                          Malicious:false
                                                                                          Preview:{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.660688430461074e+12,"network":1.660656002e+12,"ticks":401483518.0,"uncertainty":1453614.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIX

                                                                                          C:\Users\user\AppData\Local\Temp\EFfRsWxPLD

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                                                          Category:dropped
                                                                                          Size (bytes):49152
                                                                                          Entropy (8bit):0.7876734657715041
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                          MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                          SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                          SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                          SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\MRAjWwhTHctcuAxhxKQFDaFpLSjFbcXo

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):333122
                                                                                          Entropy (8bit):6.0166085054822025
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:AXNyTOpBmAh4A8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dBt:AyT6BmAeVxzurRDn9nfNxF4ijZVtilBt
                                                                                          MD5:FC9350304206BCAE11EDC5F911EFEA92
                                                                                          SHA1:0AFC39D86BAF4F1C510D00B5817A677D760FACE2
                                                                                          SHA-256:7A135CC412FA4152B39EBCAED8817B903DA7968DBAABD6FE657A3A3B5F5D88E1
                                                                                          SHA-512:A327BD0D57B7D7395A0FC8F742D738FB38C0BB9899A116D5C90061B3998762E9B7660A631A2C25ECAC4968A4DCBB2EF0033BA6A2C2477CF7DD15D0C933C7A3F8
                                                                                          Malicious:false
                                                                                          Preview:{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.660688430461074e+12,"network":1.660656002e+12,"ticks":401483518.0,"uncertainty":1453614.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIX

                                                                                          C:\Users\user\AppData\Local\Temp\XVlBzgbaiC

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 2, database pages 36, 1st free page 10, free pages 4, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                          Category:dropped
                                                                                          Size (bytes):147456
                                                                                          Entropy (8bit):0.45387870883890413
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:iWvdU+bb3DtSOaDN6tOVjN9DLjGQLBE3u:iWvK+H3NGN6IVj3XBBE3u
                                                                                          MD5:9D9851BF9104273B5AB6337A4E38A4AE
                                                                                          SHA1:0FF6130A7A10B06B73DAB3687ABA6FCD4E92C2E8
                                                                                          SHA-256:DBC976D79FBC0F3BA62CDEA6EFDDEEAE0ADD7EBF092B865DBB907A1D9B9DA5E1
                                                                                          SHA-512:DEF485857FB1F882895122AF5ABBC502E708CA62735FF8AC855DEAEC7334D9858019D7889E90B64258EA08E634F3826B7962C29F331392670521C6EABEA0F5E8
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......$...........&......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\aFetHsbZRjxAwnwekrBEmfdzdcEkXBAk

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):333122
                                                                                          Entropy (8bit):6.0166085054822025
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:AXNyTOpBmAh4A8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dBt:AyT6BmAeVxzurRDn9nfNxF4ijZVtilBt
                                                                                          MD5:FC9350304206BCAE11EDC5F911EFEA92
                                                                                          SHA1:0AFC39D86BAF4F1C510D00B5817A677D760FACE2
                                                                                          SHA-256:7A135CC412FA4152B39EBCAED8817B903DA7968DBAABD6FE657A3A3B5F5D88E1
                                                                                          SHA-512:A327BD0D57B7D7395A0FC8F742D738FB38C0BB9899A116D5C90061B3998762E9B7660A631A2C25ECAC4968A4DCBB2EF0033BA6A2C2477CF7DD15D0C933C7A3F8
                                                                                          Malicious:false
                                                                                          Preview:{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.660688430461074e+12,"network":1.660656002e+12,"ticks":401483518.0,"uncertainty":1453614.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIX

                                                                                          C:\Users\user\AppData\Local\Temp\jQZLCtTMtT

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):94208
                                                                                          Entropy (8bit):1.287139506398081
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                                                                          MD5:292F98D765C8712910776C89ADDE2311
                                                                                          SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                                                                          SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                                                                          SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):333122
                                                                                          Entropy (8bit):6.0166085054822025
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:AXNyTOpBmAh4A8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dBt:AyT6BmAeVxzurRDn9nfNxF4ijZVtilBt
                                                                                          MD5:FC9350304206BCAE11EDC5F911EFEA92
                                                                                          SHA1:0AFC39D86BAF4F1C510D00B5817A677D760FACE2
                                                                                          SHA-256:7A135CC412FA4152B39EBCAED8817B903DA7968DBAABD6FE657A3A3B5F5D88E1
                                                                                          SHA-512:A327BD0D57B7D7395A0FC8F742D738FB38C0BB9899A116D5C90061B3998762E9B7660A631A2C25ECAC4968A4DCBB2EF0033BA6A2C2477CF7DD15D0C933C7A3F8
                                                                                          Malicious:false
                                                                                          Preview:{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.660688430461074e+12,"network":1.660656002e+12,"ticks":401483518.0,"uncertainty":1453614.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIX

                                                                                          C:\Users\user\AppData\Local\Temp\zpfRFEgmot

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
                                                                                          Category:dropped
                                                                                          Size (bytes):28672
                                                                                          Entropy (8bit):0.4393511334109407
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
                                                                                          MD5:8C31C5487A97BBE73711C5E20600C1F6
                                                                                          SHA1:D4D6B04226D8FFC894749B3963E7DB7068D6D773
                                                                                          SHA-256:A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
                                                                                          SHA-512:394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.924268106226824
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:file.exe
                                                                                          File size:5018112
                                                                                          MD5:d442830fc92de9465d9bf425922173a5
                                                                                          SHA1:27eaed777470e6a9f855894b2af3c7baa1c812eb
                                                                                          SHA256:5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449
                                                                                          SHA512:1ce42ab9055bf0c15f8f4b90820c8d4c74f348dc1e1833d26f55f61b671cdafee24a0777ea60a3a5cf5b297c31380a79a1a7d0568c81886f2472d265f77c7146
                                                                                          SSDEEP:98304:9j3/I9FTuPXPlGUi317EPTiu0ENWS5ywGDZHU:9/MF4l5GgUEMSrwU
                                                                                          TLSH:363612BAB9E5FF0AD8778538C560B335D12A9C129253850DD3DB3210BEB27EC2D86D58
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................G..x......b6G.. ...@G...@.. ........................L...........@................................

                                                                                          File Icon

                                                                                          Icon Hash:71e4b6d46cf8cc13

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x873662
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x6414B9AA [Fri Mar 17 19:04:10 2023 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4736180x4a.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4740000x57460.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4cc0000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000x4716680x471800unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x4740000x574600x57600False0.0488309191702432data4.284780173398752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x4cc0000xc0x200False0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "G"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          RT_ICON0x4740940x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0GermanGermany
                                                                                          RT_ICON0x4b60e00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0GermanGermany
                                                                                          RT_ICON0x4c692c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0GermanGermany
                                                                                          RT_ICON0x4c8ef80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0GermanGermany
                                                                                          RT_ICON0x4c9fc40x988Device independent bitmap graphic, 24 x 48 x 32, image size 0GermanGermany
                                                                                          RT_ICON0x4ca9700x468Device independent bitmap graphic, 16 x 32 x 32, image size 0GermanGermany
                                                                                          RT_GROUP_ICON0x4cae280x5adataGermanGermany
                                                                                          RT_VERSION0x4caebe0x37cdata
                                                                                          RT_MANIFEST0x4cb2760x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          GermanGermany

                                                                                          Network Behavior

                                                                                          Snort IDS Alerts

                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                          138.201.198.8192.168.2.58081496952043200 03/17/23-17:30:41.217735TCP2043200ET TROJAN Win32/Aurora Stealer Thanks Command808149695138.201.198.8192.168.2.5
                                                                                          138.201.198.8192.168.2.58081496952043199 03/17/23-17:30:40.120429TCP2043199ET TROJAN Win32/Aurora Stealer Accept Command808149695138.201.198.8192.168.2.5
                                                                                          138.201.198.8192.168.2.58081496952043198 03/17/23-17:30:09.566708TCP2043198ET TROJAN Win32/Aurora Stealer WORK Command808149695138.201.198.8192.168.2.5

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Mar 17, 2023 17:30:09.292762041 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:09.315767050 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:09.315901041 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:09.566708088 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:09.615262985 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:20.610646963 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:20.633804083 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:20.638794899 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:20.706290960 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:20.791424036 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:20.814559937 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:20.821824074 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:20.904890060 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:21.655575037 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:21.682756901 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:21.682780981 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:21.682818890 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:21.688469887 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:21.793350935 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:24.850615025 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:24.875174999 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:25.001801968 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.909135103 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.918754101 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.932133913 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.941968918 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.942006111 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.942040920 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.942058086 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.942105055 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.942276001 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.942370892 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.942375898 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.942481041 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.965544939 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.965584993 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.965687037 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.965756893 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.965908051 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.965930939 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.966077089 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.966097116 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.966105938 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.966157913 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.966424942 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.966445923 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.966519117 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.966661930 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.966820955 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.989064932 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.989135027 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.989187002 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.989295006 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.989325047 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.989396095 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.989396095 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.989434004 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.989517927 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.989629030 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.989800930 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.989969969 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.990009069 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.990052938 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.990163088 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.990303040 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.990340948 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.990442991 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:39.990576982 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:39.990762949 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.012473106 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.012507915 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.012679100 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.012711048 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.012908936 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.012978077 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.013019085 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.013261080 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.013344049 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.013362885 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.013448000 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.013472080 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.013544083 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.013633966 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.013753891 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.013847113 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.013963938 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.014031887 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.014105082 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.014182091 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.014301062 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.014372110 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.014406919 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.014529943 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.014616013 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.014650106 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.014767885 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.014816046 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.014960051 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.015057087 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.015058994 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.018815994 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.035850048 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.035887957 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.035907030 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.036036015 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.036066055 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.036083937 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.036164045 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.036164045 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.036189079 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.036192894 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.036355972 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.036446095 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.036468029 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.036540031 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.036580086 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.036927938 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037111044 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.037161112 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037180901 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037241936 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037331104 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.037368059 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.037498951 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037520885 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037568092 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.037597895 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.037841082 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037863016 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037879944 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037899971 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.037982941 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.038027048 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.041699886 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.041845083 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.059000969 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.059040070 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.059169054 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.059179068 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.059292078 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.059407949 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.059508085 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.059529066 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.059629917 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.059773922 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.059869051 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.059973955 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.059992075 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.060076952 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.060173035 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.060214996 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.060309887 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.060367107 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.060467958 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.060549021 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.060563087 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.060687065 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.060697079 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.060751915 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.060781002 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061017990 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061052084 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061122894 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061271906 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061315060 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061363935 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061388016 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061400890 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061464071 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061482906 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061549902 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061574936 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061606884 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061667919 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061758995 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061799049 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061817884 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061912060 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.061928034 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061955929 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.061995983 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.064574957 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.064601898 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.064723015 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.064730883 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.064924002 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.082125902 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.082163095 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.082180977 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.082236052 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.082310915 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.082357883 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.082427979 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.082567930 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.082592010 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.082611084 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.082757950 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.082787991 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.082959890 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.082982063 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.083077908 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.083225012 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.083246946 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.083302021 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.083329916 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.083542109 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.083666086 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.083730936 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.083870888 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084031105 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084053993 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084259987 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084423065 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084443092 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084503889 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084770918 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084856987 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.084969997 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085088968 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085206032 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085279942 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085361958 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085439920 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085563898 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085639954 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085720062 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.085799932 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086111069 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086209059 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086237907 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086317062 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086396933 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086483955 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086563110 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086636066 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086798906 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086831093 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.086920977 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087049961 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087079048 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087295055 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087317944 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087347984 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087441921 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087565899 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087640047 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087908030 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087934017 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.087954044 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088048935 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088269949 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088293076 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088403940 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088529110 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088551044 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088752985 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088787079 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088805914 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.088928938 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.089001894 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.089078903 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.089226007 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.089272976 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.089405060 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.105392933 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.105523109 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.105566978 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.105611086 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.105658054 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.105721951 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.105766058 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.105976105 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.106082916 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.106293917 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.106498003 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.106578112 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.106770039 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.106808901 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.106961012 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.107017040 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.107256889 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.107407093 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.107569933 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.120429039 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:40.121771097 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:40.194259882 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:41.217735052 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:41.217775106 CET808149695138.201.198.8192.168.2.5
                                                                                          Mar 17, 2023 17:30:41.217863083 CET496958081192.168.2.5138.201.198.8
                                                                                          Mar 17, 2023 17:30:55.966594934 CET496958081192.168.2.5138.201.198.8

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:17:29:18
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\Desktop\file.exe
                                                                                          Imagebase:0x760000
                                                                                          File size:5018112 bytes
                                                                                          MD5 hash:D442830FC92DE9465D9BF425922173A5
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Aurora, Description: Yara Aurora Stealer, Source: 00000000.00000002.423994367.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:17:30:06
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Users\user\Desktop\file.exe
                                                                                          Imagebase:0x1f0000
                                                                                          File size:5018112 bytes
                                                                                          MD5 hash:D442830FC92DE9465D9BF425922173A5
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:17:30:07
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Users\user\Desktop\file.exe
                                                                                          Imagebase:0xf0000
                                                                                          File size:5018112 bytes
                                                                                          MD5 hash:D442830FC92DE9465D9BF425922173A5
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:17:30:07
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\Desktop\file.exe
                                                                                          Imagebase:0x840000
                                                                                          File size:5018112 bytes
                                                                                          MD5 hash:D442830FC92DE9465D9BF425922173A5
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Aurora, Description: Yara Aurora Stealer, Source: 00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:17:30:09
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:wmic os get Caption
                                                                                          Imagebase:0x3c0000
                                                                                          File size:391680 bytes
                                                                                          MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:17:30:09
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7fcd70000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:17:30:11
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:cmd /C "wmic path win32_VideoController get name"
                                                                                          Imagebase:0x11d0000
                                                                                          File size:232960 bytes
                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:17:30:11
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7fcd70000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:17:30:11
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:wmic path win32_VideoController get name
                                                                                          Imagebase:0x3c0000
                                                                                          File size:391680 bytes
                                                                                          MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:17:30:17
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:cmd /C "wmic cpu get name"
                                                                                          Imagebase:0x11d0000
                                                                                          File size:232960 bytes
                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:17:30:17
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7fcd70000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:17:30:17
                                                                                          Start date:17/03/2023
                                                                                          Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:wmic cpu get name
                                                                                          Imagebase:0x3c0000
                                                                                          File size:391680 bytes
                                                                                          MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:16%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:3.3%
                                                                                            Total number of Nodes:304
                                                                                            Total number of Limit Nodes:28
                                                                                            execution_graph 32099 13ed01c 32100 13ed034 32099->32100 32101 13ed08e 32100->32101 32108 143ebf1 32100->32108 32111 143fbb8 32100->32111 32118 143bdd4 32100->32118 32122 143bde4 32100->32122 32128 143ead0 32100->32128 32134 143eac0 32100->32134 32140 143be0c 32108->32140 32110 143ec07 32110->32101 32112 143fb88 32111->32112 32113 143fbc2 32111->32113 32112->32101 32114 143fc27 32113->32114 32152 143fd40 32113->32152 32157 143fe1c 32113->32157 32163 143fd50 32113->32163 32119 143bddf 32118->32119 32120 143ec07 32119->32120 32121 143be0c 2 API calls 32119->32121 32120->32101 32121->32120 32123 143bdef 32122->32123 32124 143fc27 32123->32124 32125 143fd40 CallWindowProcW 32123->32125 32126 143fd50 CallWindowProcW 32123->32126 32127 143fe1c CallWindowProcW 32123->32127 32125->32124 32126->32124 32127->32124 32129 143eaf6 32128->32129 32130 143bdd4 2 API calls 32129->32130 32131 143eb02 32130->32131 32132 143bde4 CallWindowProcW 32131->32132 32133 143eb17 32132->32133 32133->32101 32135 143eaf6 32134->32135 32136 143bdd4 2 API calls 32135->32136 32137 143eb02 32136->32137 32138 143bde4 CallWindowProcW 32137->32138 32139 143eb17 32138->32139 32139->32101 32142 143be17 32140->32142 32141 143ee59 32142->32141 32144 143eb30 32142->32144 32145 143eb48 32144->32145 32149 143bdf4 32144->32149 32145->32141 32147 143eb60 SetWindowLongW 32145->32147 32148 143ebcc 32147->32148 32148->32141 32150 143eb60 SetWindowLongW 32149->32150 32151 143ebcc 32150->32151 32151->32145 32154 143fd50 32152->32154 32153 143fdf0 32153->32114 32168 143fdf8 32154->32168 32172 143fe08 32154->32172 32158 143fdda 32157->32158 32159 143fe2a 32157->32159 32161 143fdf8 CallWindowProcW 32158->32161 32162 143fe08 CallWindowProcW 32158->32162 32160 143fdf0 32160->32114 32161->32160 32162->32160 32165 143fd64 32163->32165 32164 143fdf0 32164->32114 32166 143fdf8 CallWindowProcW 32165->32166 32167 143fe08 CallWindowProcW 32165->32167 32166->32164 32167->32164 32169 143fe08 32168->32169 32170 143fe19 32169->32170 32175 54c10b0 32169->32175 32170->32153 32173 54c10b0 CallWindowProcW 32172->32173 32174 143fe19 32172->32174 32173->32174 32174->32153 32176 54c10ba 32175->32176 32177 54c1097 32175->32177 32180 54c10e0 32176->32180 32177->32170 32181 54c1122 32180->32181 32182 54c10ca 32180->32182 32181->32182 32183 54c117a CallWindowProcW 32181->32183 32182->32170 32183->32182 32192 1437080 32196 14374b1 32192->32196 32201 1437577 32192->32201 32193 1437090 32197 14374ea 32196->32197 32198 14375e1 32197->32198 32206 1437720 32197->32206 32210 143770f 32197->32210 32198->32193 32202 143757c 32201->32202 32203 14375e1 32202->32203 32204 1437720 2 API calls 32202->32204 32205 143770f 2 API calls 32202->32205 32203->32193 32204->32203 32205->32203 32207 143772d 32206->32207 32208 1437767 32207->32208 32214 14373ac 32207->32214 32208->32198 32211 1437720 32210->32211 32212 1437767 32211->32212 32213 14373ac 2 API calls 32211->32213 32212->32198 32213->32212 32215 14373b7 32214->32215 32217 1438460 32215->32217 32218 1437ffc 32215->32218 32217->32217 32219 1438007 32218->32219 32220 14384cf 32219->32220 32236 143800c 32219->32236 32222 14384dd 32220->32222 32240 143a182 32220->32240 32247 143a298 32220->32247 32254 143a2a8 32220->32254 32261 143a190 32220->32261 32268 143a6e0 32220->32268 32272 143a6d0 32220->32272 32276 143802c 32222->32276 32224 14384f7 32281 143803c 32224->32281 32227 1438508 32227->32217 32237 1438017 32236->32237 32238 14387ae 32237->32238 32239 54cded0 2 API calls 32237->32239 32238->32220 32239->32238 32241 143a1c8 32240->32241 32242 143a2a8 2 API calls 32241->32242 32243 143a21d 32241->32243 32244 143a537 32242->32244 32243->32222 32245 143803c 2 API calls 32244->32245 32246 143a68a 32244->32246 32245->32246 32246->32222 32248 143a2ca 32247->32248 32250 143a330 32247->32250 32249 143a2a8 2 API calls 32248->32249 32248->32250 32251 143a537 32249->32251 32250->32222 32252 143803c 2 API calls 32251->32252 32253 143a68a 32251->32253 32252->32253 32253->32222 32255 143a2ca 32254->32255 32257 143a330 32254->32257 32256 143a2a8 2 API calls 32255->32256 32255->32257 32259 143a537 32256->32259 32257->32222 32258 143a68a 32258->32222 32259->32258 32260 143803c 2 API calls 32259->32260 32260->32258 32262 143a1c8 32261->32262 32263 143a2a8 2 API calls 32262->32263 32264 143a21d 32262->32264 32265 143a537 32263->32265 32264->32222 32266 143803c 2 API calls 32265->32266 32267 143a68a 32265->32267 32266->32267 32267->32222 32269 143a70e 32268->32269 32270 143803c 2 API calls 32269->32270 32271 143a74f 32269->32271 32270->32271 32273 143a70e 32272->32273 32274 143803c 2 API calls 32273->32274 32275 143a74f 32273->32275 32274->32275 32277 1438037 32276->32277 32280 143b831 32277->32280 32301 143a130 32277->32301 32279 143b82c 32279->32224 32280->32224 32282 1438047 32281->32282 32305 143bb54 32282->32305 32285 143a190 2 API calls 32286 14384fe 32285->32286 32287 143c4b8 32286->32287 32294 143c4d0 32286->32294 32289 143c54e 32287->32289 32290 143c501 32287->32290 32288 143c50d 32288->32227 32289->32227 32290->32288 32293 54cded0 2 API calls 32290->32293 32314 143c809 32290->32314 32317 143c818 32290->32317 32293->32289 32296 143c501 32294->32296 32297 143c54e 32294->32297 32295 143c50d 32295->32227 32296->32295 32298 143c809 2 API calls 32296->32298 32299 143c818 2 API calls 32296->32299 32300 54cded0 2 API calls 32296->32300 32297->32227 32298->32297 32299->32297 32300->32297 32303 143a13b 32301->32303 32302 143ba15 32302->32279 32303->32302 32304 143803c 2 API calls 32303->32304 32304->32302 32307 143bb5f 32305->32307 32306 143c3d2 32308 143a190 2 API calls 32306->32308 32307->32306 32309 143c2ff 32307->32309 32312 143c4d0 2 API calls 32307->32312 32313 143c4b8 2 API calls 32307->32313 32310 143c3ef 32308->32310 32309->32285 32310->32309 32311 143bb54 2 API calls 32310->32311 32311->32310 32312->32306 32313->32306 32316 143c859 2 API calls 32314->32316 32315 143c822 32315->32289 32316->32315 32318 143c822 32317->32318 32319 143c859 2 API calls 32317->32319 32318->32289 32319->32318 32336 54cdd98 32339 54cd27c 32336->32339 32338 54cddb7 32340 54cd287 32339->32340 32343 143800c 2 API calls 32340->32343 32344 1438512 32340->32344 32341 54cde3c 32341->32338 32343->32341 32345 1438520 32344->32345 32346 14387ae 32345->32346 32347 54cded0 2 API calls 32345->32347 32346->32341 32347->32346 32348 143e918 32349 143e980 CreateWindowExW 32348->32349 32351 143ea3c 32349->32351 32358 1437838 GetCurrentProcess 32359 14378b2 GetCurrentThread 32358->32359 32360 14378ab 32358->32360 32361 14378e8 32359->32361 32362 14378ef GetCurrentProcess 32359->32362 32360->32359 32361->32362 32363 1437925 32362->32363 32367 14379e9 32363->32367 32364 143794d GetCurrentThreadId 32365 143797e 32364->32365 32368 1437a59 DuplicateHandle 32367->32368 32371 14379f2 32367->32371 32370 1437af6 32368->32370 32370->32364 32371->32364 32010 54cd640 32011 54cd64d 32010->32011 32019 54ce220 32011->32019 32013 54cd84c 32022 4f68428 32013->32022 32033 4f68419 32013->32033 32014 54cdb9e 32018 54ce220 2 API calls 32018->32013 32044 54cd514 32019->32044 32021 54cd6e3 32021->32018 32025 4f6843d 32022->32025 32023 4f684c3 32024 4f684cd 32023->32024 32031 4f68428 GetCurrentThreadId 32023->32031 32032 4f68419 GetCurrentThreadId 32023->32032 32024->32014 32025->32023 32026 4f684f8 32025->32026 32030 4f685fc 32026->32030 32095 4f67f88 32026->32095 32029 4f67f88 GetCurrentThreadId 32029->32030 32030->32014 32031->32024 32032->32024 32035 4f6843d 32033->32035 32034 4f684c3 32036 4f684cd 32034->32036 32042 4f68428 GetCurrentThreadId 32034->32042 32043 4f68419 GetCurrentThreadId 32034->32043 32035->32034 32037 4f684f8 32035->32037 32036->32014 32038 4f67f88 GetCurrentThreadId 32037->32038 32041 4f685fc 32037->32041 32039 4f68620 32038->32039 32040 4f67f88 GetCurrentThreadId 32039->32040 32040->32041 32041->32014 32042->32036 32043->32036 32045 54cd51f 32044->32045 32046 54ce2f0 32045->32046 32051 4f673b0 32045->32051 32056 54ce310 32045->32056 32060 4f673ae 32045->32060 32046->32021 32047 54ce2ba 32047->32021 32053 4f673d7 32051->32053 32052 4f67629 32052->32047 32054 4f675f5 32053->32054 32055 54ce310 2 API calls 32053->32055 32054->32047 32055->32052 32057 54ce33f 32056->32057 32059 54ce3d5 32057->32059 32065 54cd568 32057->32065 32061 4f673d7 32060->32061 32063 4f675f5 32061->32063 32064 54ce310 2 API calls 32061->32064 32062 4f67629 32062->32047 32063->32047 32064->32062 32066 54cd573 32065->32066 32069 54cded0 32066->32069 32067 54cebba 32067->32059 32072 54cdf2a 32069->32072 32070 54cdede 32070->32067 32075 143c859 32072->32075 32073 54cdf47 32073->32070 32076 143c87b 32075->32076 32077 143c893 32076->32077 32083 143cae0 32076->32083 32087 143caf0 32076->32087 32077->32073 32078 143c88b 32078->32077 32079 143ca90 GetModuleHandleW 32078->32079 32080 143cabd 32079->32080 32080->32073 32084 143cb04 32083->32084 32086 143cb29 32084->32086 32091 143bc80 32084->32091 32086->32078 32088 143cb04 32087->32088 32089 143cb29 32088->32089 32090 143bc80 LoadLibraryExW 32088->32090 32089->32078 32090->32089 32092 143ccd0 LoadLibraryExW 32091->32092 32094 143cd49 32092->32094 32094->32086 32096 4f67f93 32095->32096 32097 4f6893f GetCurrentThreadId 32096->32097 32098 4f68620 32096->32098 32097->32098 32098->32029 32184 54c3d60 32186 54c3d87 32184->32186 32185 54c3e64 32186->32185 32188 54c310c 32186->32188 32189 54c41e0 CreateActCtxA 32188->32189 32191 54c42a3 32189->32191 32372 54c4eb0 32375 54c48bc 32372->32375 32374 54c4ebe 32376 54c48c7 32375->32376 32379 54c48dc 32376->32379 32378 54c532e 32378->32374 32380 54c48e7 32379->32380 32383 54c48fc 32380->32383 32384 54c4907 32383->32384 32386 1438512 2 API calls 32384->32386 32387 143800c 2 API calls 32384->32387 32385 54c53ea 32385->32378 32386->32385 32387->32385 32320 4f6bf38 32324 143b387 32320->32324 32330 143b398 32320->32330 32321 4f6bf45 32325 143b3b5 32324->32325 32326 143b3f9 32325->32326 32327 143803c 2 API calls 32325->32327 32328 143a190 2 API calls 32326->32328 32327->32326 32329 143b466 32328->32329 32329->32321 32331 143b3b5 32330->32331 32332 143b3f9 32331->32332 32333 143803c 2 API calls 32331->32333 32334 143a190 2 API calls 32332->32334 32333->32332 32335 143b466 32334->32335 32335->32321 32352 4f61518 32354 54cd514 2 API calls 32352->32354 32353 4f6152f 32354->32353

                                                                                            Executed Functions

                                                                                            Function 0143A2A8 Relevance: .7, Instructions: 656COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6697238e62fa738da85bfe83d5e58fd0906ede5ad2c81863be94aea9ffdff765
                                                                                            • Instruction ID: 25c58ae1e64078a1e501371daf861f65aa7d5bbb629c3931b7955fbc341720a2
                                                                                            • Opcode Fuzzy Hash: 6697238e62fa738da85bfe83d5e58fd0906ede5ad2c81863be94aea9ffdff765
                                                                                            • Instruction Fuzzy Hash: 6A529031A40619CFCB15CF58C884AAEB7B2FF88314F6584AAD949EB261D770FD85CB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 054C9F4B Relevance: .4, Instructions: 378COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.440079822.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 01e8d06a9cade6b25645625b999225fe7108e091343611d8e8308128b3d11a86
                                                                                            • Instruction ID: 888a9df0640bdaf488695a7caa6bdacc4fa4d0b115f7e689afb063d4243c6513
                                                                                            • Opcode Fuzzy Hash: 01e8d06a9cade6b25645625b999225fe7108e091343611d8e8308128b3d11a86
                                                                                            • Instruction Fuzzy Hash: 6DE15234B00219DFDB54DFA9C855BAEBBF2BF84700F1481AAE5069B395DB75AC41CB80
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143BE0C Relevance: .2, Instructions: 233COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80f97d08578d918c7d02040c043e7cf9de4642f88f0b2424dd9673ae245ae16c
                                                                                            • Instruction ID: 039625d8147f8f2f5e7b217160b4a4fd9e3c06fc7685b05309ec070decedd9c2
                                                                                            • Opcode Fuzzy Hash: 80f97d08578d918c7d02040c043e7cf9de4642f88f0b2424dd9673ae245ae16c
                                                                                            • Instruction Fuzzy Hash: 0D916135E0031ADFCB04DBA4D8549DEBBB6FF99314F14861AE516AB3A4EB30A941CB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143EC10 Relevance: .2, Instructions: 197COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9319a644b4b52b096ed2d93e207a6355ddfdae2634a1c6062bc99ebea735b734
                                                                                            • Instruction ID: 55a4da5188f020b208b6646c50f9ca6b36cbcd0631660b112e9ae27d845c24c1
                                                                                            • Opcode Fuzzy Hash: 9319a644b4b52b096ed2d93e207a6355ddfdae2634a1c6062bc99ebea735b734
                                                                                            • Instruction Fuzzy Hash: 73818235E0031ADFCB04DBA4D8849DEBB7AFFD9310F148615E516AB3A4EB30A945DB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 054CC621 Relevance: .2, Instructions: 150COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.440079822.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 327f4808bb32d9be30e0f0c2041f5da1f5b1668ff30acf35b6759f5abe6ab342
                                                                                            • Instruction ID: b5db17f3808e6942ffb70c25d053704515c5950485b8b8de240bb6a0c5ec72b2
                                                                                            • Opcode Fuzzy Hash: 327f4808bb32d9be30e0f0c2041f5da1f5b1668ff30acf35b6759f5abe6ab342
                                                                                            • Instruction Fuzzy Hash: 93418F1A176E441BC5F5436B8DEB3C73E60F982214BEE71CB84A8C6F55E604C982D9CB
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01437828 Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 107 1437828-14378a9 GetCurrentProcess 109 14378b2-14378e6 GetCurrentThread 107->109 110 14378ab-14378b1 107->110 111 14378e8-14378ee 109->111 112 14378ef-1437923 GetCurrentProcess 109->112 110->109 111->112 113 1437925-143792b 112->113 114 143792c-1437947 call 14379e9 112->114 113->114 118 143794d-143797c GetCurrentThreadId 114->118 119 1437985-14379e7 118->119 120 143797e-1437984 118->120 120->119
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 01437898
                                                                                            • GetCurrentThread.KERNEL32 ref: 014378D5
                                                                                            • GetCurrentProcess.KERNEL32 ref: 01437912
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0143796B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: fbe5b77d390728d6c10e91b28887c989d865d3bf779551a26629470ac0ece7d1
                                                                                            • Instruction ID: c18920019744fc5e0d5d470c0c759d1f600418ff047a75b627781c719ada5e6f
                                                                                            • Opcode Fuzzy Hash: fbe5b77d390728d6c10e91b28887c989d865d3bf779551a26629470ac0ece7d1
                                                                                            • Instruction Fuzzy Hash: D35102B09002498FDB18CFAAC588BDEBFF1FF88314F24856AE449A73A1D7345844CB65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01437838 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 127 1437838-14378a9 GetCurrentProcess 128 14378b2-14378e6 GetCurrentThread 127->128 129 14378ab-14378b1 127->129 130 14378e8-14378ee 128->130 131 14378ef-1437923 GetCurrentProcess 128->131 129->128 130->131 132 1437925-143792b 131->132 133 143792c-1437947 call 14379e9 131->133 132->133 137 143794d-143797c GetCurrentThreadId 133->137 138 1437985-14379e7 137->138 139 143797e-1437984 137->139 139->138
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 01437898
                                                                                            • GetCurrentThread.KERNEL32 ref: 014378D5
                                                                                            • GetCurrentProcess.KERNEL32 ref: 01437912
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0143796B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 995ab2e62a72e6e2c22512001b5e472d9a897f2646b35caa0071c1cd0bf71e94
                                                                                            • Instruction ID: 1ce748b7182ee049ae75e20a77c2484071f3aee9677b401184b2d11cd34e22f8
                                                                                            • Opcode Fuzzy Hash: 995ab2e62a72e6e2c22512001b5e472d9a897f2646b35caa0071c1cd0bf71e94
                                                                                            • Instruction Fuzzy Hash: DD5124B09002498FDB18CFAAC548BDEBFF1BF88314F20856AE449A73A1D7345844CF65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143C859 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 391 143c859-143c87d call 143bc2c 394 143c893-143c897 391->394 395 143c87f 391->395 396 143c8ab-143c8ec 394->396 397 143c899-143c8a3 394->397 446 143c885 call 143cae0 395->446 447 143c885 call 143caf0 395->447 402 143c8f9-143c907 396->402 403 143c8ee-143c8f6 396->403 397->396 398 143c88b-143c88d 398->394 401 143c9c8-143ca88 398->401 439 143ca90-143cabb GetModuleHandleW 401->439 440 143ca8a-143ca8d 401->440 405 143c92b-143c92d 402->405 406 143c909-143c90e 402->406 403->402 409 143c930-143c937 405->409 407 143c910-143c917 call 143bc38 406->407 408 143c919 406->408 414 143c91b-143c929 407->414 408->414 410 143c944-143c94b 409->410 411 143c939-143c941 409->411 415 143c958-143c961 call 143bc48 410->415 416 143c94d-143c955 410->416 411->410 414->409 421 143c963-143c96b 415->421 422 143c96e-143c973 415->422 416->415 421->422 424 143c991-143c995 422->424 425 143c975-143c97c 422->425 444 143c998 call 143cdc0 424->444 445 143c998 call 143cdd0 424->445 425->424 426 143c97e-143c98e call 143a0e0 call 143bc58 425->426 426->424 428 143c99b-143c99e 430 143c9c1-143c9c7 428->430 431 143c9a0-143c9be 428->431 431->430 441 143cac4-143cad8 439->441 442 143cabd-143cac3 439->442 440->439 442->441 444->428 445->428 446->398 447->398
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0143CAAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: cd5d89e6a8b3038141cd179e5f141682aeae887de1a811cc1d002e46a4d80b45
                                                                                            • Instruction ID: 04d1f8f1288b28d016f047efec515fab10558e52de3e33596aae617c08a486f7
                                                                                            • Opcode Fuzzy Hash: cd5d89e6a8b3038141cd179e5f141682aeae887de1a811cc1d002e46a4d80b45
                                                                                            • Instruction Fuzzy Hash: B67125B1A00B058FD764DF2AD19075BBBF1BF88214F10892ED48AE7B50DB35E8068B91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 054C3128 Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 448 54c3128-54c3140 452 54c30dc-54c425b 448->452 453 54c3142-54c3159 448->453 467 54c4263-54c42a1 CreateActCtxA 452->467 456 54c315b 453->456 457 54c3115-54c311f 453->457 459 54c4140-54c41a1 456->459 457->459 462 54c41aa-54c41cb 459->462 463 54c41a3-54c41a9 459->463 463->462 468 54c42aa-54c4304 467->468 469 54c42a3-54c42a9 467->469 476 54c4306-54c4309 468->476 477 54c4313-54c4317 468->477 469->468 476->477 478 54c4328 477->478 479 54c4319-54c4325 477->479 480 54c4329 478->480 479->478 480->480
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 054C4291
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.440079822.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: f2acd93697c308ce2ba722f2ea3cb74b035b11266edafbf2d247dd3e401bf810
                                                                                            • Instruction ID: 6bc9d56557d43fb8daeddcd58a6b44bf62e513117213c24fa183bdc2b6518325
                                                                                            • Opcode Fuzzy Hash: f2acd93697c308ce2ba722f2ea3cb74b035b11266edafbf2d247dd3e401bf810
                                                                                            • Instruction Fuzzy Hash: 927186718043588FDB20DFA9C898BCEBFF1BF48314F2484AAD449AB251D7749885CFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143E90D Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 561 143e90d-143e97e 563 143e980-143e986 561->563 564 143e989-143e990 561->564 563->564 565 143e992-143e998 564->565 566 143e99b-143e9d3 564->566 565->566 567 143e9db-143ea3a CreateWindowExW 566->567 568 143ea43-143ea7b 567->568 569 143ea3c-143ea42 567->569 573 143ea88 568->573 574 143ea7d-143ea80 568->574 569->568 575 143ea89 573->575 574->573 575->575
                                                                                            APIs
                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0143EA2A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: 124cc8a4fca200f7600a5475db7cf10a09172c9fbeedd1516c4634a6860cd95f
                                                                                            • Instruction ID: 9d24e65b8c8cf9e1317055671deb0f62570b96246491c5b59798e06071aec378
                                                                                            • Opcode Fuzzy Hash: 124cc8a4fca200f7600a5475db7cf10a09172c9fbeedd1516c4634a6860cd95f
                                                                                            • Instruction Fuzzy Hash: 5151B0B1D013199FDB14CF9AC884ADEBFB5FF88710F24852AE519AB210D7749945CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143E918 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 576 143e918-143e97e 577 143e980-143e986 576->577 578 143e989-143e990 576->578 577->578 579 143e992-143e998 578->579 580 143e99b-143ea3a CreateWindowExW 578->580 579->580 582 143ea43-143ea7b 580->582 583 143ea3c-143ea42 580->583 587 143ea88 582->587 588 143ea7d-143ea80 582->588 583->582 589 143ea89 587->589 588->587 589->589
                                                                                            APIs
                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0143EA2A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: 5ff362996b036fb277a09b5fd3f8d3cbbcf3c4e983db94b30b3b26b938281576
                                                                                            • Instruction ID: 7318b36fd7418520611f980e1453ea3f6270ec4a88213f6e4a6f518eb159b5a6
                                                                                            • Opcode Fuzzy Hash: 5ff362996b036fb277a09b5fd3f8d3cbbcf3c4e983db94b30b3b26b938281576
                                                                                            • Instruction Fuzzy Hash: 1841B0B1D01309DFDB14CF9AC884ADEBFB5BF88710F24852AE419AB210D7749945CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014379E9 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 590 14379e9-14379f0 591 14379f2-1437a21 call 14366f4 590->591 592 1437a59-1437af4 DuplicateHandle 590->592 595 1437a26-1437a4c 591->595 596 1437af6-1437afc 592->596 597 1437afd-1437b1a 592->597 596->597
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01437AE7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: f6d422c62c6d6f03188fe3f7008f23d6c56ee6122ec3d72e5f412e58a62a5244
                                                                                            • Instruction ID: c5e2ba6f1b0f1bf0696fd7638113a4712ae9fd2b29d1f6799c18217887b33785
                                                                                            • Opcode Fuzzy Hash: f6d422c62c6d6f03188fe3f7008f23d6c56ee6122ec3d72e5f412e58a62a5244
                                                                                            • Instruction Fuzzy Hash: A9414AB6900209AFDB01CF99D844ADEBFF5FB88320F14802AF955A7361C7399955DFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 054C41D4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 602 54c41d4-54c425b 604 54c4263-54c42a1 CreateActCtxA 602->604 605 54c42aa-54c4304 604->605 606 54c42a3-54c42a9 604->606 613 54c4306-54c4309 605->613 614 54c4313-54c4317 605->614 606->605 613->614 615 54c4328 614->615 616 54c4319-54c4325 614->616 617 54c4329 615->617 616->615 617->617
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 054C4291
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.440079822.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 0b3c29e5e8a660a766d4498b6cfa42e91f4ffc0edc80d9a514cdc4861f1338c9
                                                                                            • Instruction ID: 84f4fb9dbeac1826ccc1d807deff53435757e8b20baba0a980a5888be36cf2c6
                                                                                            • Opcode Fuzzy Hash: 0b3c29e5e8a660a766d4498b6cfa42e91f4ffc0edc80d9a514cdc4861f1338c9
                                                                                            • Instruction Fuzzy Hash: 0841F671C00729CFDB14CF99C945BCEBBB1BF88305F20849AD409AB255D7B55946CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 054C310C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 619 54c310c-54c42a1 CreateActCtxA 622 54c42aa-54c4304 619->622 623 54c42a3-54c42a9 619->623 630 54c4306-54c4309 622->630 631 54c4313-54c4317 622->631 623->622 630->631 632 54c4328 631->632 633 54c4319-54c4325 631->633 634 54c4329 632->634 633->632 634->634
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 054C4291
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.440079822.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: c3b9e7fc0d77e50ef07aa67bd37a36d2b61d33bfdc75075e54a532c3dd02f3ad
                                                                                            • Instruction ID: ce4960c0567b50db6f83d01cfd3f81b87e26164d571aec5a834bf21a3b56dfe0
                                                                                            • Opcode Fuzzy Hash: c3b9e7fc0d77e50ef07aa67bd37a36d2b61d33bfdc75075e54a532c3dd02f3ad
                                                                                            • Instruction Fuzzy Hash: 5441F574C00328CFDB24DF99C948BDEBBB1BF88305F6084AAD409AB255D7B55946CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 054C10E0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 636 54c10e0-54c111c 637 54c11cc-54c11ec 636->637 638 54c1122-54c1127 636->638 644 54c11ef-54c11fc 637->644 639 54c1129-54c1160 638->639 640 54c117a-54c11b2 CallWindowProcW 638->640 646 54c1169-54c1178 639->646 647 54c1162-54c1168 639->647 641 54c11bb-54c11ca 640->641 642 54c11b4-54c11ba 640->642 641->644 642->641 646->644 647->646
                                                                                            APIs
                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 054C11A1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.440079822.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallProcWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2714655100-0
                                                                                            • Opcode ID: 93048b0cb5a63e90b2be44cdb62bd3def2b52697a20ca96bf73ca520a7cff925
                                                                                            • Instruction ID: cc9eb8dc6d7ba396453426ec5bebf4d9cee19f1a9e957dbd1478de3e8f000ec8
                                                                                            • Opcode Fuzzy Hash: 93048b0cb5a63e90b2be44cdb62bd3def2b52697a20ca96bf73ca520a7cff925
                                                                                            • Instruction Fuzzy Hash: 74411BB9A002059FCB54CF99C848AAABFF5FF8C314F24859DD419A7321D734A941CFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143EB20 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 650 143eb20-143eb37 651 143eb39-143eb3b 650->651 652 143eb3d-143eb3f 650->652 651->652 653 143eb41-143eb43 call 143bdf4 652->653 654 143eb45 652->654 653->654 661 143eb47 call 143eb20 654->661 662 143eb47 call 143eb30 654->662 663 143eb47 call 143bdf4 654->663 656 143eb48-143ebca SetWindowLongW 658 143ebd3-143ebe7 656->658 659 143ebcc-143ebd2 656->659 659->658 661->656 662->656 663->656
                                                                                            APIs
                                                                                            • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0143EBBD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1378638983-0
                                                                                            • Opcode ID: f7dbb7f2173b8c77b579675c68bedcd1c9221867f70dc0ec5cf55e89d7c828f4
                                                                                            • Instruction ID: 5dc2b19e04b0c177dd6ba8f85e28bf388bddd376c1f35ccfe4d1c7ca1d0397bb
                                                                                            • Opcode Fuzzy Hash: f7dbb7f2173b8c77b579675c68bedcd1c9221867f70dc0ec5cf55e89d7c828f4
                                                                                            • Instruction Fuzzy Hash: A72169B5800249DFDB11CFA5D945BCABBF4FB48324F18845AD455B7251C338A945CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01437A60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01437AE7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 3b68d3e6257867548541815ae7d28fa6f219bfbf383cba0f9314a487b5e4e219
                                                                                            • Instruction ID: 6ed2428150e2edab0d31b725bc387bcef9f26125358312f21c1108414182003d
                                                                                            • Opcode Fuzzy Hash: 3b68d3e6257867548541815ae7d28fa6f219bfbf383cba0f9314a487b5e4e219
                                                                                            • Instruction Fuzzy Hash: 0321C2B59002099FDB10CFAAD984ADEBFF8FB48320F14841AE954B7350D374AA55CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143BC80 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0143CB29,00000800,00000000,00000000), ref: 0143CD3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: ae90b81d21b55a2c4d612f270d563b4ddd31d348796fd5b2572ed8859e2b40e4
                                                                                            • Instruction ID: 36a591eeccde5f3cff4d2deefef3babab675994ec2e1e55b313fce3397870f62
                                                                                            • Opcode Fuzzy Hash: ae90b81d21b55a2c4d612f270d563b4ddd31d348796fd5b2572ed8859e2b40e4
                                                                                            • Instruction Fuzzy Hash: 681103B69002098FDB10CF9AC488ADEFBF4EB88320F10852AE515B7350C378A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143CCC9 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0143CB29,00000800,00000000,00000000), ref: 0143CD3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: fabdeeae9934cd7d9fbf4249ab6d9f04442f381387d812672023cf7dbebc577d
                                                                                            • Instruction ID: 420cf7813296f475d666fd7dc8b721e8b5fed60216d9fa623cf44eae51632e2d
                                                                                            • Opcode Fuzzy Hash: fabdeeae9934cd7d9fbf4249ab6d9f04442f381387d812672023cf7dbebc577d
                                                                                            • Instruction Fuzzy Hash: 6011E4B69002098FDB10CF9AD588BDEFBF4BB88720F14851AE515B7710C378A546CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143CA48 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0143CAAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 7e53ef6aebbf35a2d10b6941a5cc691eb180be2e4b4fac82ae75e9d16b2b2e75
                                                                                            • Instruction ID: 80ad84bd6c3511ac9fe95f7e965f627e2c7428d84b026cbf9d3d3b21df677156
                                                                                            • Opcode Fuzzy Hash: 7e53ef6aebbf35a2d10b6941a5cc691eb180be2e4b4fac82ae75e9d16b2b2e75
                                                                                            • Instruction Fuzzy Hash: AB11DFB6D002498FDB10DF9AC484BDEFBF4AB88324F14856AD919B7710C375A546CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143BDF4 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0143EBBD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1378638983-0
                                                                                            • Opcode ID: 88610ed349af488ffb9ff335c320288040c53c09f5967e041b55e313684ef723
                                                                                            • Instruction ID: ce7699eb8504ccd13a3b2df20dc1bd7bc2290d028735ae5e43380407bc79a70a
                                                                                            • Opcode Fuzzy Hash: 88610ed349af488ffb9ff335c320288040c53c09f5967e041b55e313684ef723
                                                                                            • Instruction Fuzzy Hash: 2311F2B59002099FDB10CF9AD588BDEBBF8EB88320F20855AE955B7350C374A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013DD3EC Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418796725.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13dd000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b8bb1ec22a300d1584c988e2b696c8aac9f5ccc61646838f96bd87c501dc44e7
                                                                                            • Instruction ID: 6e89104bf6f8c7b1831a1b0a2462e7225cc0ffdf1218f4a54dcd5f6b7ea6a85f
                                                                                            • Opcode Fuzzy Hash: b8bb1ec22a300d1584c988e2b696c8aac9f5ccc61646838f96bd87c501dc44e7
                                                                                            • Instruction Fuzzy Hash: 092145B2504244EFDB01DF98E9C0B66BF75FB84328F20C669E8091B686C736E446C7A1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013ED01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418896214.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13ed000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 92f33935e7c3c1338752861a4a63d8a2f6cac885178656a0961b21213916c83f
                                                                                            • Instruction ID: 0635c439a75eb68e6e5d285ced1b117935a2ca21ee9b759a950dfd684a620453
                                                                                            • Opcode Fuzzy Hash: 92f33935e7c3c1338752861a4a63d8a2f6cac885178656a0961b21213916c83f
                                                                                            • Instruction Fuzzy Hash: 9D210071604344DFDB15CF58D8C8B16BFA5FB84358F28C969E80A0B686C336D847CA61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418896214.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13ed000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9feece840d27dadf7632b839bb2e2a31068cdef8126c583c91c1e25017818f76
                                                                                            • Instruction ID: c26076f6f5aaefc66cbd6c03d1cb0473a9fef2b2d1b2c778f2146aca101905b6
                                                                                            • Opcode Fuzzy Hash: 9feece840d27dadf7632b839bb2e2a31068cdef8126c583c91c1e25017818f76
                                                                                            • Instruction Fuzzy Hash: 37213771504344DFDB01CF98D9C4B16BBE5FB84328F20CA6DE8094B286C336D846CB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013DD3E7 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418796725.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13dd000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 531ddb34ecaff0d19ee21c8da9a43450f91a2f213ab6685f60bae35d54da008c
                                                                                            • Instruction ID: c2d5a069022cb403013ea6c8ac58eb4d00a88725b4e0763a29207441bf588af4
                                                                                            • Opcode Fuzzy Hash: 531ddb34ecaff0d19ee21c8da9a43450f91a2f213ab6685f60bae35d54da008c
                                                                                            • Instruction Fuzzy Hash: BE11E172404280CFCB02CF44D5C0B56BF72FB84324F24C6A9D8091B656C33AE45ACBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013ED1CF Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418896214.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13ed000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 73071e64d649ca5068ecd82b75df080301da1af13b603cf74dd6d805c90ab014
                                                                                            • Instruction ID: d0e377e8eca318dce1fb19ed6d1896cf83f4580a43014d53cc80e0c82d0652e5
                                                                                            • Opcode Fuzzy Hash: 73071e64d649ca5068ecd82b75df080301da1af13b603cf74dd6d805c90ab014
                                                                                            • Instruction Fuzzy Hash: 38118B75504280DFDB12CF54D6C4B15BBB1FB84328F28C6ADD8494B696C33AD44ACB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013ED017 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418896214.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13ed000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 73071e64d649ca5068ecd82b75df080301da1af13b603cf74dd6d805c90ab014
                                                                                            • Instruction ID: 71df813be71b10d86b08afcb139c085357ce174484806a95c57dc1ef6890179e
                                                                                            • Opcode Fuzzy Hash: 73071e64d649ca5068ecd82b75df080301da1af13b603cf74dd6d805c90ab014
                                                                                            • Instruction Fuzzy Hash: 2B118E75504380DFDB12CF54D5D4B15BFA1FB44318F28C6A9D8494B696C33AD84ACB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013DD75D Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418796725.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13dd000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4ff4c824d7a6cb10cfb8e5303110a238a520afa92fa33fb363a310e08e86b118
                                                                                            • Instruction ID: 189d893d120fcfad30cac84a9a3d29a08b872102a951cdd771203cd546c51b5c
                                                                                            • Opcode Fuzzy Hash: 4ff4c824d7a6cb10cfb8e5303110a238a520afa92fa33fb363a310e08e86b118
                                                                                            • Instruction Fuzzy Hash: 5301A7725043C49EE7114E59EC84B66BFD8EF41768F19849AED091A286C3799844CAB1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013DD6E7 Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418796725.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13dd000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d8bb1d8d0bf40a2bd18e854244162cc4276c0e9092fadd5157db0708a268eff8
                                                                                            • Instruction ID: c9fb850f5130184f03d5575d6f23b3e4b560828ec1bb5c5e5271cd6f16c75e63
                                                                                            • Opcode Fuzzy Hash: d8bb1d8d0bf40a2bd18e854244162cc4276c0e9092fadd5157db0708a268eff8
                                                                                            • Instruction Fuzzy Hash: 4CF0F976200644AFD3248F0AD984C27FBADEBD4774719C59AE94A4B651C671EC42CFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013DD75C Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418796725.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13dd000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bd282e6daa0aef008551581559a673260edc3d006c120689f1d2ce2faae0273b
                                                                                            • Instruction ID: 263c82644ccf3346c852872f2ac942d54e007ef99007c383244a9eb414926811
                                                                                            • Opcode Fuzzy Hash: bd282e6daa0aef008551581559a673260edc3d006c120689f1d2ce2faae0273b
                                                                                            • Instruction Fuzzy Hash: D7F062724043849EE7158E1ADCC4B62FF98EB51734F18C59AED485B286C3789844CAB1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 013DD6D8 Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.418796725.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_13dd000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 071bb9597a580e29a4047622db4152a411c4acec07046fbf7928fbdc93ef3509
                                                                                            • Instruction ID: 347884a5db7b431f2b98a5288672a2c9ce1e7f059a20055cfe562d488674e8c1
                                                                                            • Opcode Fuzzy Hash: 071bb9597a580e29a4047622db4152a411c4acec07046fbf7928fbdc93ef3509
                                                                                            • Instruction Fuzzy Hash: A2F03C75104680AFD325CF05C984C22BFF9EB897607198489E8854B352C630FC42CF60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 0143CF50 Relevance: .5, Instructions: 522COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4f776fcfc4b87155281f6b240b257bacece40193cdd25bcfba188d231ce31535
                                                                                            • Instruction ID: bd5ace3bfb574637d24b43b6e47580ad95e7ba3d955de6b7077b4f85c624342b
                                                                                            • Opcode Fuzzy Hash: 4f776fcfc4b87155281f6b240b257bacece40193cdd25bcfba188d231ce31535
                                                                                            • Instruction Fuzzy Hash: 6A5268B09C17068FD750CF5AE4881993BB1FBC5318BD08A29D2695F3A1D3B964EACF44
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0143A150 Relevance: .3, Instructions: 265COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.419114158.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1430000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9fcf74926a8258b9d269fe7953d8548c7aa9ef00fd350bb3fb4dc0c676db40c0
                                                                                            • Instruction ID: f9e0d5d171d70dd2bdf00fe45cd5672c06773e6779c1c50786722e608eeaff68
                                                                                            • Opcode Fuzzy Hash: 9fcf74926a8258b9d269fe7953d8548c7aa9ef00fd350bb3fb4dc0c676db40c0
                                                                                            • Instruction Fuzzy Hash: A3A15F32E1061A8FCF19DFA5C8845DEBBB2FFC9300B15856BE905BB225DB31A955CB40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 04F66614 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.439262009.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4f60000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e54005dab4b4d9e0a61ba6bcdb12248d4326c4e096a2a29d58b58abf6df0aae3
                                                                                            • Instruction ID: f6061c2e3172648d030930fd75020e30847641fe1b392146aeb119f8418bb183
                                                                                            • Opcode Fuzzy Hash: e54005dab4b4d9e0a61ba6bcdb12248d4326c4e096a2a29d58b58abf6df0aae3
                                                                                            • Instruction Fuzzy Hash: 16D1DA31C10A5ACADB10EFA8D99069DB7B1FFA5300F60CB9AD44937254EB706AC5CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 04F66618 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.439262009.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4f60000_file.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d15a2f7d23869dc5bb3ebf9f4d345ed0dba39e603b17fba9a788354f24b80f22
                                                                                            • Instruction ID: bd7b02884c53627d5c3e17643950e3365dba0a524025224a3557146d6ee1501b
                                                                                            • Opcode Fuzzy Hash: d15a2f7d23869dc5bb3ebf9f4d345ed0dba39e603b17fba9a788354f24b80f22
                                                                                            • Instruction Fuzzy Hash: EAD1DA31C10A5ACADB10EFA8D99069DB7B1FFA5300F60CB9AD44937254EB706AC5CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Execution Graph

                                                                                            Execution Coverage:0%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:40%
                                                                                            Total number of Nodes:5
                                                                                            Total number of Limit Nodes:0
                                                                                            execution_graph 32339 4354b0 32340 4354c2 32339->32340 32340->32339 32341 4354f8 32340->32341 32343 464ec0 SetWaitableTimer 32340->32343 32344 464f45 32343->32344 32344->32341

                                                                                            Executed Functions

                                                                                            Function 00464EC0 Relevance: 1.5, APIs: 1, Instructions: 30timeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 464ec0-464f3d SetWaitableTimer 1 464f45-464f4a 0->1
                                                                                            APIs
                                                                                            • SetWaitableTimer.KERNELBASE ref: 00464F20
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: TimerWaitable
                                                                                            • String ID:
                                                                                            • API String ID: 1823812067-0
                                                                                            • Opcode ID: 43243a5ce9209ec691a37365d00174ced0a718a8a10f1fda4638eb50b5a565e6
                                                                                            • Instruction ID: 68cf8adaa6f0a896d15334c906564af00b864b26871925a692f0ccce58cd9893
                                                                                            • Opcode Fuzzy Hash: 43243a5ce9209ec691a37365d00174ced0a718a8a10f1fda4638eb50b5a565e6
                                                                                            • Instruction Fuzzy Hash: FF01E4B450C3018FC304DF08C59471ABBE1FB88714F108A2CE8994B391C776AA89CF97
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 00433690 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 960357e6e197b8a5291eeae0200afb9afbdb455ff6c98889249dbfc893ea515b
                                                                                            • Instruction ID: 9b05e038579827e142e79954e00647401c7d083e75c2f68764214cb5308f6bac
                                                                                            • Opcode Fuzzy Hash: 960357e6e197b8a5291eeae0200afb9afbdb455ff6c98889249dbfc893ea515b
                                                                                            • Instruction Fuzzy Hash: CA1184B56083028FC718DF24C59166FB7E1ABC8704F50D92EE4A587341E77D9A4ACB87
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0044A4E0 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 23301c06fdbc5d765302a85daf9a89c6a7866bf60acebdeacd56f2d797c00f89
                                                                                            • Instruction ID: 1cc0792c4300fda987a9e124046f65084724d3ad56d4d355d85128d94e644500
                                                                                            • Opcode Fuzzy Hash: 23301c06fdbc5d765302a85daf9a89c6a7866bf60acebdeacd56f2d797c00f89
                                                                                            • Instruction Fuzzy Hash: 58F065B0804601DFDB14FF24D58176977F1FB84308F40492ED45947761E77A9595CB07
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00464E80 Relevance: .0, Instructions: 14COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 76cf7af6b34a0ed7d528a5fb49de0d268b971dcc157032501d21460dc3f171f4
                                                                                            • Instruction ID: fa8d26d5596d40ed7fdf7b2a13fcf2f655f92cb5beab767a1fad48ee62559df5
                                                                                            • Opcode Fuzzy Hash: 76cf7af6b34a0ed7d528a5fb49de0d268b971dcc157032501d21460dc3f171f4
                                                                                            • Instruction Fuzzy Hash: 77E0B6B04183419BC310EF0CC88110ABBE0BB84220F508B5DA8B8473A1D33095088B92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 004640F0 Relevance: .0, Instructions: 6COMMON
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 68%
                                                                                            			E004640F0(intOrPtr __eax, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {

				asm("rdtsc");
				_a4 = __eax;
				_a8 = __edx;
				return __eax;
			}



                                                                                            0x0046410d
                                                                                            0x004640fe
                                                                                            0x00464102
                                                                                            0x00464106

                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.483930551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7700c86727a3f7adf946e1b86aec0dcbef5ad3defbcffb90b65937c4e9bda6d9
                                                                                            • Instruction ID: a57f8d75f24581a2d508043b5438e8e17eb3c9cb30d431931d957d40f87f85f0
                                                                                            • Opcode Fuzzy Hash: 7700c86727a3f7adf946e1b86aec0dcbef5ad3defbcffb90b65937c4e9bda6d9
                                                                                            • Instruction Fuzzy Hash: 21B012B040E3319D8B40CF04810015579D096C4780F20C42FA04D47104E23840817B0B
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%