Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
of4pojIP5C.exe

Overview

General Information

Sample Name:of4pojIP5C.exe
Original Sample Name:f1ba471dbd6e6f3b10bbf3c76a9837eec27e14e034e9dc897eb32bd176291a77.exe
Analysis ID:840911
MD5:b14888dcf6021d0e3d58dcd457715c3b
SHA1:29ac4d1efac3c1451740b1b559ccd8fe7567356b
SHA256:f1ba471dbd6e6f3b10bbf3c76a9837eec27e14e034e9dc897eb32bd176291a77
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • of4pojIP5C.exe (PID: 6592 cmdline: C:\Users\user\Desktop\of4pojIP5C.exe MD5: B14888DCF6021D0E3D58DCD457715C3B)
    • of4pojIP5C.exe (PID: 484 cmdline: {path} MD5: B14888DCF6021D0E3D58DCD457715C3B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.panservis.rs", "Username": "office@panservis.rs", "Password": "M8KQPEmv2a+"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000005.00000002.523456023.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.308731037.0000000003489000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.of4pojIP5C.exe.35c7ed8.1.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
            • 0x17c6a:$pattern: 06 1E 58 07 8E 69 FE 17
            • 0x269d2:$a2: _CorExeMain
            • 0x227fe:$a3: mscorlib
            • 0x23bdd:$a4: .cctor
            • 0x22559:$a6: <Module>
            0.2.of4pojIP5C.exe.35c7ed8.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              5.2.of4pojIP5C.exe.400000.0.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
              • 0x19a6a:$pattern: 06 1E 58 07 8E 69 FE 17
              • 0x287d2:$a2: _CorExeMain
              • 0x245fe:$a3: mscorlib
              • 0x259dd:$a4: .cctor
              • 0x24359:$a6: <Module>
              5.2.of4pojIP5C.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.of4pojIP5C.exe.3528e88.2.raw.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
                • 0xb8aba:$pattern: 06 1E 58 07 8E 69 FE 17
                • 0xe18da:$pattern: 06 1E 58 07 8E 69 FE 17
                • 0x754d2:$a2: _CorExeMain
                • 0xc7822:$a2: _CorExeMain
                • 0xf0642:$a2: _CorExeMain
                • 0x485f3:$a3: mscorlib
                • 0xc364e:$a3: mscorlib
                • 0xec46e:$a3: mscorlib
                • 0x4886d:$a4: .cctor
                • 0xc4a2d:$a4: .cctor
                • 0xed84d:$a4: .cctor
                • 0xc33a9:$a6: <Module>
                • 0xec1c9:$a6: <Module>
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: of4pojIP5C.exeReversingLabs: Detection: 64%
                Source: of4pojIP5C.exeVirustotal: Detection: 72%Perma Link
                Machine Learning detection for sample
                Source: of4pojIP5C.exeJoe Sandbox ML: detected
                Source: 5.2.of4pojIP5C.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.of4pojIP5C.exe.3528e88.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.panservis.rs", "Username": "office@panservis.rs", "Password": "M8KQPEmv2a+"}
                Source: of4pojIP5C.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.3:49695 version: TLS 1.2
                Source: of4pojIP5C.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: cBeyCfM.pdbSHA256 source: of4pojIP5C.exe
                Source: Binary string: cBeyCfM.pdb source: of4pojIP5C.exe
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06E99A60
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06E9A708

                Networking

                barindex
                May check the online IP address of the machine
                Source: C:\Users\user\Desktop\of4pojIP5C.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\of4pojIP5C.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\of4pojIP5C.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\of4pojIP5C.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\of4pojIP5C.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\of4pojIP5C.exeDNS query: name: api.ipify.org
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
                Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficTCP traffic: 192.168.2.3:49696 -> 185.118.171.10:587
                Source: global trafficTCP traffic: 192.168.2.3:49696 -> 185.118.171.10:587
                Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                Source: of4pojIP5C.exe, 00000005.00000002.524596060.0000000001172000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.531901586.0000000006707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: of4pojIP5C.exe, 00000005.00000002.524596060.0000000001172000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.524596060.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.531901586.00000000066C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.531901586.0000000006707000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.524596060.00000000011E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: of4pojIP5C.exe, 00000005.00000002.524596060.0000000001172000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.531901586.0000000006707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                Source: of4pojIP5C.exe, 00000005.00000003.311580183.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.524596060.00000000011D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: of4pojIP5C.exe, 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.panservis.rs
                Source: of4pojIP5C.exe, 00000005.00000002.524596060.0000000001172000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.531901586.0000000006707000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.524596060.00000000011E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: of4pojIP5C.exe, 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panservis.rs
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.0000000002481000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.263187670.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.263139948.00000000054EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
                Source: of4pojIP5C.exe, 00000000.00000003.267147255.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: of4pojIP5C.exe, 00000000.00000003.277630500.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.277468772.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.277554271.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers(
                Source: of4pojIP5C.exe, 00000000.00000003.266652900.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266617405.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266617405.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: of4pojIP5C.exe, 00000000.00000003.269220317.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267613769.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: of4pojIP5C.exe, 00000000.00000003.267222590.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers;
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: of4pojIP5C.exe, 00000000.00000003.266652900.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269769876.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269863086.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266683624.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersH
                Source: of4pojIP5C.exe, 00000000.00000003.267878487.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267847639.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267698782.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267650871.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersN
                Source: of4pojIP5C.exe, 00000000.00000003.270010797.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersV
                Source: of4pojIP5C.exe, 00000000.00000003.269769876.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                Source: of4pojIP5C.exe, 00000000.00000003.269942439.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269817633.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: of4pojIP5C.exe, 00000000.00000003.269220317.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comI.TTFb
                Source: of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comTTFa
                Source: of4pojIP5C.exe, 00000000.00000003.267031950.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266858098.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: of4pojIP5C.exe, 00000000.00000003.269942439.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269817633.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalso
                Source: of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomdb
                Source: of4pojIP5C.exe, 00000000.00000003.269220317.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomi
                Source: of4pojIP5C.exe, 00000000.00000003.295210112.00000000054BB000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000002.315781815.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comepko
                Source: of4pojIP5C.exe, 00000000.00000003.295210112.00000000054BB000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000002.315781815.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                Source: of4pojIP5C.exe, 00000000.00000003.267031950.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266858098.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiv/#
                Source: of4pojIP5C.exe, 00000000.00000003.269942439.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269817633.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtuF
                Source: of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtuS
                Source: of4pojIP5C.exe, 00000000.00000003.269942439.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269220317.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269817633.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comv
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262426469.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262515888.00000000054EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: of4pojIP5C.exe, 00000000.00000003.262890626.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262849668.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262748524.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262706540.00000000054EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: of4pojIP5C.exe, 00000000.00000003.262915418.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                Source: of4pojIP5C.exe, 00000000.00000003.272885393.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.274232313.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273537070.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272794598.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272661768.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.274980218.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273006378.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272964580.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.274707112.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273148802.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273413878.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272811834.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272830453.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272776217.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: of4pojIP5C.exe, 00000000.00000003.273148802.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273413878.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273537070.00000000054F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/den
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272830453.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272661768.00000000054F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#
                Source: of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264383496.00000000054BD000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                Source: of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//on
                Source: of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
                Source: of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L
                Source: of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
                Source: of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264383496.00000000054BD000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264137461.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ch
                Source: of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264383496.00000000054BD000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264137461.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/help
                Source: of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
                Source: of4pojIP5C.exe, 00000000.00000003.265964473.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/#
                Source: of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264383496.00000000054BD000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ms
                Source: of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nt
                Source: of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262849668.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: of4pojIP5C.exe, 00000000.00000003.262849668.00000000054E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com(
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                Source: of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de.y
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deU
                Source: of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: of4pojIP5C.exe, 00000005.00000002.526736644.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: of4pojIP5C.exe, 00000005.00000002.526736644.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: of4pojIP5C.exe, 00000005.00000002.524596060.0000000001172000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.531901586.0000000006707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.3:49695 version: TLS 1.2
                Source: of4pojIP5C.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.of4pojIP5C.exe.35c7ed8.1.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 5.2.of4pojIP5C.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.of4pojIP5C.exe.3528e88.2.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.of4pojIP5C.exe.35c7ed8.1.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E966200_2_06E96620
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E900400_2_06E90040
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E95F580_2_06E95F58
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E93C100_2_06E93C10
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E966120_2_06E96612
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E943E80_2_06E943E8
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E9A2600_2_06E9A260
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E943E80_2_06E943E8
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E943D80_2_06E943D8
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E940C00_2_06E940C0
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E940B00_2_06E940B0
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E900230_2_06E90023
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E92CD00_2_06E92CD0
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E92CAF0_2_06E92CAF
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E92CA70_2_06E92CA7
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E92C890_2_06E92C89
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E968700_2_06E96870
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E9684E0_2_06E9684E
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E933400_2_06E93340
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E933270_2_06E93327
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E933300_2_06E93330
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E9330F0_2_06E9330F
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E95F490_2_06E95F49
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E95C620_2_06E95C62
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E95C700_2_06E95C70
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E93C010_2_06E93C01
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_0135C9985_2_0135C998
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_0135A9D85_2_0135A9D8
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_01359DC05_2_01359DC0
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_0135A1085_2_0135A108
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_01357FD45_2_01357FD4
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_069B52905_2_069B5290
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_069B66605_2_069B6660
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_069B8C205_2_069B8C20
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_069B00405_2_069B0040
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_069B19605_2_069B1960
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_069BBBEE5_2_069BBBEE
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs of4pojIP5C.exe
                Source: of4pojIP5C.exe, 00000000.00000002.318234540.0000000006D90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs of4pojIP5C.exe
                Source: of4pojIP5C.exe, 00000000.00000000.256334287.00000000000B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecBeyCfM.exe, vs of4pojIP5C.exe
                Source: of4pojIP5C.exe, 00000000.00000002.308731037.0000000003489000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs of4pojIP5C.exe
                Source: of4pojIP5C.exe, 00000000.00000002.308731037.0000000003489000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs of4pojIP5C.exe
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs of4pojIP5C.exe
                Source: of4pojIP5C.exe, 00000005.00000002.524596060.000000000110A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs of4pojIP5C.exe
                Source: of4pojIP5C.exe, 00000005.00000002.523456023.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs of4pojIP5C.exe
                Source: of4pojIP5C.exe, 00000005.00000002.523990731.0000000000D88000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs of4pojIP5C.exe
                Source: of4pojIP5C.exeBinary or memory string: OriginalFilenamecBeyCfM.exe, vs of4pojIP5C.exe
                Source: of4pojIP5C.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: of4pojIP5C.exeReversingLabs: Detection: 64%
                Source: of4pojIP5C.exeVirustotal: Detection: 72%
                Source: of4pojIP5C.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\of4pojIP5C.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\of4pojIP5C.exe C:\Users\user\Desktop\of4pojIP5C.exe
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess created: C:\Users\user\Desktop\of4pojIP5C.exe {path}
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess created: C:\Users\user\Desktop\of4pojIP5C.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\of4pojIP5C.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\of4pojIP5C.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/2
                Source: of4pojIP5C.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\of4pojIP5C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: of4pojIP5C.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: of4pojIP5C.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: of4pojIP5C.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: cBeyCfM.pdbSHA256 source: of4pojIP5C.exe
                Source: Binary string: cBeyCfM.pdb source: of4pojIP5C.exe

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: of4pojIP5C.exe, LoginForm1.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_04942931 pushad ; ret 0_2_04942933
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E924F7 push es; retf 0_2_06E924F8
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E9247F push es; retf 0_2_06E92480
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 0_2_06E935E4 push edx; retf 0_2_06E935E5
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_0135DFC1 push eax; ret 5_2_0135E02F
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_0135DAE2 push esi; ret 5_2_0135DA30
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_069BA8C0 push es; ret 5_2_069BA8D0
                Source: initial sampleStatic PE information: section name: .text entropy: 7.266169092540603
                Source: C:\Users\user\Desktop\of4pojIP5C.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: of4pojIP5C.exe PID: 6592, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\of4pojIP5C.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\of4pojIP5C.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 6596Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 4892Thread sleep count: 4327 > 30Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -99859s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -99749s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -99639s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -99531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -99422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -99312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -99202s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -99091s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98981s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98873s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98766s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98649s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98526s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98255s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98122s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -98016s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -97906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exe TID: 1920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeWindow / User API: threadDelayed 4327Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\of4pojIP5C.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 99859Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 99749Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 99639Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 99531Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 99422Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 99312Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 99202Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 99091Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98981Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98873Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98766Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98649Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98526Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98406Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98255Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98122Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 98016Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 97906Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: of4pojIP5C.exe, 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: of4pojIP5C.exe, 00000005.00000003.311580183.00000000011B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\of4pojIP5C.exeMemory written: C:\Users\user\Desktop\of4pojIP5C.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeProcess created: C:\Users\user\Desktop\of4pojIP5C.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Users\user\Desktop\of4pojIP5C.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Users\user\Desktop\of4pojIP5C.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeCode function: 5_2_0135F6F0 GetUserNameW,5_2_0135F6F0

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: of4pojIP5C.exe PID: 484, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.of4pojIP5C.exe.35c7ed8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.of4pojIP5C.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.of4pojIP5C.exe.3528e88.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.of4pojIP5C.exe.35c7ed8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.523456023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.308731037.0000000003489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\of4pojIP5C.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\of4pojIP5C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: of4pojIP5C.exe PID: 484, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: of4pojIP5C.exe PID: 484, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.of4pojIP5C.exe.35c7ed8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.of4pojIP5C.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.of4pojIP5C.exe.3528e88.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.of4pojIP5C.exe.35c7ed8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.523456023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.308731037.0000000003489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium11
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Credentials in Registry                		211
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		Automated Exfiltration1
                Ingress Tool Transfer                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer2
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                Obfuscated Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingData Transfer Size Limits23
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common13
                Software Packing                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                Remote System Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Network Configuration Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow114
                System Information Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                of4pojIP5C.exe65%ReversingLabsWin32.Trojan.Leonem
                of4pojIP5C.exe72%VirustotalBrowse
                of4pojIP5C.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                5.2.of4pojIP5C.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.comepko0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                http://www.fontbureau.comalso0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/#0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.founder.com.cn/cnd0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/S0%URL Reputationsafe
                http://www.fontbureau.comcomdb0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/L0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/#0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
                http://www.fontbureau.comm0%URL Reputationsafe
                http://www.tiro.com(0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.fontbureau.como0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
                http://www.fontbureau.comv0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/help0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/nt0%Avira URL Cloudsafe
                http://panservis.rs0%Avira URL Cloudsafe
                http://www.fontbureau.comtuF0%Avira URL Cloudsafe
                http://www.fontbureau.comsiv/#0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/staff/den0%Avira URL Cloudsafe
                http://www.fontbureau.comI.TTFb0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/ch0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp//on0%Avira URL Cloudsafe
                http://www.fontbureau.comtuS0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/ms0%Avira URL Cloudsafe
                http://mail.panservis.rs0%Avira URL Cloudsafe
                http://www.urwpp.deU0%Avira URL Cloudsafe
                http://www.fontbureau.comcomi0%Avira URL Cloudsafe
                http://www.fontbureau.comTTFa0%Avira URL Cloudsafe
                http://www.urwpp.de.y0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                panservis.rs
                		185.118.171.10
                		truefalse
                  		unknown
                  api4.ipify.org
                  		64.185.227.155
                  		truefalse
                    		high
                    api.ipify.org
                    		unknown
                    		unknownfalse
                      		high
                      mail.panservis.rs
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.comI.TTFbof4pojIP5C.exe, 00000000.00000003.269220317.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersHof4pojIP5C.exe, 00000000.00000003.266652900.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269769876.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269863086.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266683624.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers?of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comcomdbof4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.comof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262849668.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersVof4pojIP5C.exe, 00000000.00000003.270010797.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/helpof4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264383496.00000000054BD000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264137461.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersof4pojIP5C.exe, 00000000.00000003.267147255.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comepkoof4pojIP5C.exe, 00000000.00000003.295210112.00000000054BB000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000002.315781815.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.goodfont.co.krof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersNof4pojIP5C.exe, 00000000.00000003.267878487.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267847639.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267698782.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267650871.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sajatypeworks.comof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/cTheof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272830453.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272661768.00000000054F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/chof4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264383496.00000000054BD000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264137461.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.ipify.orgof4pojIP5C.exe, 00000005.00000002.526736644.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://fontfabrik.comof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comsiv/#of4pojIP5C.exe, 00000000.00000003.267031950.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266858098.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp//onof4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/4of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/denof4pojIP5C.exe, 00000000.00000003.273148802.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273413878.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273537070.00000000054F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/DPleaseof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/)of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264383496.00000000054BD000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comalsoof4pojIP5C.exe, 00000000.00000003.269942439.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269817633.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fonts.comof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comtuSof4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/#of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.com(of4pojIP5C.exe, 00000000.00000003.262849668.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.urwpp.deof4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comtuFof4pojIP5C.exe, 00000000.00000003.269942439.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269817633.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameof4pojIP5C.exe, 00000000.00000002.300781049.0000000002481000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sakkal.comof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://panservis.rsof4pojIP5C.exe, 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designerssof4pojIP5C.exe, 00000000.00000003.269769876.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cndof4pojIP5C.exe, 00000000.00000003.262915418.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.apache.org/licenses/LICENSE-2.0of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.263187670.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.263139948.00000000054EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/of4pojIP5C.exe, 00000000.00000003.272885393.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.274232313.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273537070.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272794598.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272661768.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.274980218.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273006378.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272964580.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.274707112.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273148802.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.273413878.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272811834.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272830453.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.272776217.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/ntof4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comFof4pojIP5C.exe, 00000000.00000003.269942439.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269817633.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://sectigo.com/CPS0of4pojIP5C.exe, 00000005.00000002.524596060.0000000001172000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.531901586.0000000006707000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/Sof4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://mail.panservis.rsof4pojIP5C.exe, 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000005.00000002.526736644.0000000002F0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comcomiof4pojIP5C.exe, 00000000.00000003.269220317.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.urwpp.deUof4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/Lof4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/jp/of4pojIP5C.exe, 00000000.00000003.265964473.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.comTTFaof4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comaof4pojIP5C.exe, 00000000.00000003.267031950.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266858098.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267796030.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cn/of4pojIP5C.exe, 00000000.00000003.262890626.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262849668.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262748524.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262706540.00000000054EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers(of4pojIP5C.exe, 00000000.00000003.277630500.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.277468772.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.277554271.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/cabarga.htmlNof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cnof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262426469.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.262515888.00000000054EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/msof4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264383496.00000000054BD000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/frere-jones.htmlof4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.267613769.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/jp/#of4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/tof4pojIP5C.exe, 00000000.00000003.264512639.00000000054B7000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.264740569.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlof4pojIP5C.exe, 00000000.00000003.269220317.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.commof4pojIP5C.exe, 00000000.00000003.295210112.00000000054BB000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000002.315781815.00000000054BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/of4pojIP5C.exe, 00000000.00000003.264496804.00000000054BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.comoof4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/iof4pojIP5C.exe, 00000000.00000003.264861664.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers8of4pojIP5C.exe, 00000000.00000002.316312102.00000000066C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comvof4pojIP5C.exe, 00000000.00000003.269942439.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269220317.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.269817633.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers;of4pojIP5C.exe, 00000000.00000003.267222590.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.urwpp.de.yof4pojIP5C.exe, 00000000.00000003.270186869.00000000054BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/of4pojIP5C.exe, 00000000.00000003.266652900.00000000054E9000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266617405.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, of4pojIP5C.exe, 00000000.00000003.266617405.00000000054E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    185.118.171.10
                                                                    		panservis.rsSerbia
                                                                    		203877ASTRATELEKOMRSfalse
                                                                    64.185.227.155
                                                                    		api4.ipify.orgUnited States
                                                                    		18450WEBNXUSfalse

                                                                    General Information

                                                                    Joe Sandbox Version:37.0.0 Beryl
                                                                    Analysis ID:840911
                                                                    Start date and time:2023-04-04 13:50:57 +02:00
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 10m 9s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:13
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample file name:of4pojIP5C.exe
                                                                    Original Sample Name:f1ba471dbd6e6f3b10bbf3c76a9837eec27e14e034e9dc897eb32bd176291a77.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@3/1@4/2
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HDC Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 49
                                                                    • Number of non-executed functions: 16
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    13:52:07API Interceptor20x Sleep call for process: of4pojIP5C.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    185.118.171.10USD 46947,6 20230101162552.exeGet hashmaliciousAgentTeslaBrowse
                                                                      file.exeGet hashmaliciousAgentTeslaBrowse
                                                                        4dxXH2RAM2.exeGet hashmaliciousAgentTeslaBrowse
                                                                          file.exeGet hashmaliciousAgentTeslaBrowse
                                                                            64.185.227.155CnsRlvK7Ho.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                            • api.ipify.org/
                                                                            aKiefGOIEn.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                            • api.ipify.org/
                                                                            M74aRxVX4H.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                            • api.ipify.org/
                                                                            WolcGwXQ5c.exeGet hashmaliciousFicker Stealer, RHADAMANTHYS, Rusty StealerBrowse
                                                                            • api.ipify.org/?format=wef
                                                                            XZerken3Py.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                            • api.ipify.org/
                                                                            xc17rfFdOM.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                            • api.ipify.org/?format=wef
                                                                            8Ghi4RAfH5.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                            • api.ipify.org/?format=wef
                                                                            fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                            • api.ipify.org/?format=wef
                                                                            file.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                            • api.ipify.org/?format=wef
                                                                            48PTRR4pVY.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                            • api.ipify.org/?format=qwd

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            api4.ipify.orgSOA.xlsGet hashmaliciousAgentTeslaBrowse
                                                                            • 173.231.16.75
                                                                            SvbXpTXvdx.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            NVDuVkr4TL.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            Payment_on_Your_Behalf.xlsGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            SOA_160-54714892.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 173.231.16.75
                                                                            RFQ_28922000.04.04.2023.exeGet hashmaliciousGuLoaderBrowse
                                                                            • 64.185.227.155
                                                                            S1i8Pq2vaWaNikc.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 104.237.62.211
                                                                            l5hqTN4reb.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 104.237.62.211
                                                                            Crack File.exeGet hashmaliciousRedLine, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            4Vp6Xc8SFr.exeGet hashmaliciousUnknownBrowse
                                                                            • 64.185.227.155
                                                                            Product_Specification.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 173.231.16.75
                                                                            IMG_62100_41600pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 173.231.16.75
                                                                            ORD_751210_xls.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 104.237.62.211
                                                                            DOCS .HTMLGet hashmaliciousUnknownBrowse
                                                                            • 104.237.62.211
                                                                            dfdsMNGdwy.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 173.231.16.75
                                                                            RFQ_NO_012594.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 104.237.62.211
                                                                            rNewPOSPL036570_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            HSBC_payment_receipt_confirmation.exeGet hashmaliciousAgentTesla, AveMaria, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            CT12#_TC-WI-60.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 173.231.16.75
                                                                            DHL_AWB_NO_#AWB_4507558646.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 64.185.227.155

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            ASTRATELEKOMRSA0a8DqXIJQ.elfGet hashmaliciousMiraiBrowse
                                                                            • 109.94.117.199
                                                                            USD 46947,6 20230101162552.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 185.118.171.10
                                                                            file.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 185.118.171.10
                                                                            4dxXH2RAM2.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 185.118.171.10
                                                                            file.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 185.118.171.10
                                                                            eyjlIAxLom.elfGet hashmaliciousUnknownBrowse
                                                                            • 109.94.117.186
                                                                            z8QWD02El3.elfGet hashmaliciousUnknownBrowse
                                                                            • 85.202.112.208
                                                                            apep.x86Get hashmaliciousMiraiBrowse
                                                                            • 109.94.117.187
                                                                            mkRkjGXjDJGet hashmaliciousMiraiBrowse
                                                                            • 62.241.1.210
                                                                            dark.arm6Get hashmaliciousUnknownBrowse
                                                                            • 62.240.15.200
                                                                            WEBNXUSSOA.xlsGet hashmaliciousAgentTeslaBrowse
                                                                            • 173.231.16.75
                                                                            SvbXpTXvdx.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            NVDuVkr4TL.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 173.231.16.75
                                                                            Payment_on_Your_Behalf.xlsGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            SOA_160-54714892.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 173.231.16.75
                                                                            RFQ_28922000.04.04.2023.exeGet hashmaliciousGuLoaderBrowse
                                                                            • 64.185.227.155
                                                                            S1i8Pq2vaWaNikc.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 104.237.62.211
                                                                            l5hqTN4reb.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 104.237.62.211
                                                                            Crack File.exeGet hashmaliciousRedLine, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            4Vp6Xc8SFr.exeGet hashmaliciousUnknownBrowse
                                                                            • 173.231.16.75
                                                                            Product_Specification.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 173.231.16.75
                                                                            IMG_62100_41600pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 173.231.16.75
                                                                            ORD_751210_xls.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 104.237.62.211
                                                                            DOCS .HTMLGet hashmaliciousUnknownBrowse
                                                                            • 104.237.62.211
                                                                            dfdsMNGdwy.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 173.231.16.75
                                                                            RFQ_NO_012594.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 104.237.62.211
                                                                            rNewPOSPL036570_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            HSBC_payment_receipt_confirmation.exeGet hashmaliciousAgentTesla, AveMaria, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            CT12#_TC-WI-60.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 173.231.16.75
                                                                            DHL_AWB_NO_#AWB_4507558646.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 64.185.227.155

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousNymaim, RedLine, Socelars, XmrigBrowse
                                                                            • 64.185.227.155
                                                                            SvbXpTXvdx.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            NVDuVkr4TL.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            529f38_6521c5ccbd8d46acb81ce3eb5cc3cc56.ps1Get hashmaliciousXWormBrowse
                                                                            • 64.185.227.155
                                                                            SOA_160-54714892.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            RFQ_28922000.04.04.2023.exeGet hashmaliciousGuLoaderBrowse
                                                                            • 64.185.227.155
                                                                            S1i8Pq2vaWaNikc.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            l5hqTN4reb.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 64.185.227.155
                                                                            Crack File.exeGet hashmaliciousRedLine, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            Cerere_de_ofert#U0103_(Universitatea_din_Oradea)_Eui894_-_CRO633.exeGet hashmaliciousRemcosBrowse
                                                                            • 64.185.227.155
                                                                            Product_Specification.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            IMG_62100_41600pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            ORD_751210_xls.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 64.185.227.155
                                                                            file.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                                                                            • 64.185.227.155
                                                                            lIJyWSeEgG.exeGet hashmaliciousGurcu StealerBrowse
                                                                            • 64.185.227.155
                                                                            bLmz.exeGet hashmaliciousNjratBrowse
                                                                            • 64.185.227.155
                                                                            dfdsMNGdwy.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            RFQ_NO_012594.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 64.185.227.155
                                                                            rNewPOSPL036570_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 64.185.227.155
                                                                            HSBC_payment_receipt_confirmation.exeGet hashmaliciousAgentTesla, AveMaria, zgRATBrowse
                                                                            • 64.185.227.155

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\of4pojIP5C.exe.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\of4pojIP5C.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1314
                                                                            Entropy (8bit):5.350128552078965
                                                                            Encrypted:false
                                                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.255253609991992
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            File name:of4pojIP5C.exe
                                                                            File size:587776
                                                                            MD5:b14888dcf6021d0e3d58dcd457715c3b
                                                                            SHA1:29ac4d1efac3c1451740b1b559ccd8fe7567356b
                                                                            SHA256:f1ba471dbd6e6f3b10bbf3c76a9837eec27e14e034e9dc897eb32bd176291a77
                                                                            SHA512:44150b46e9c57afa08ba344aa3503f9674a9ae585159a2c1c7f4ee9df39cf8b6a772d69f119ddb61e47c8c2a952494e50834880ea457268ff9f5c7d673c20978
                                                                            SSDEEP:12288:B/RmS10v9E/lZ4+28s8lhoSlr5xg3YiYeN+JKE2ccy/3BKl:BnCHyr5xgoiY2+JXVfxK
                                                                            TLSH:B5C43A7D2DB88E66F439D3788BE0D133A1A1E7D7AB21CB182BD7124C4E0190679DE16D
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............P.................. ... ....@.. .......................`............@................................

                                                                            File Icon

                                                                            Icon Hash:00828e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x490cfe
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x641BE32E [Thu Mar 23 05:27:10 2023 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x90caa0x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x594.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8e2080x54.text
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x8ed040x8ee00False0.7267009104330708data7.266169092540603IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x920000x5940x600False0.4173177083333333data4.073444232287188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x940000xc0x200False0.041015625data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_VERSION0x920900x304data
                                                                            RT_MANIFEST0x923a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 4, 2023 13:52:16.960052013 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:16.960144043 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:16.960262060 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:17.042500019 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:17.042546034 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:17.809218884 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:17.809331894 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:17.811909914 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:17.811948061 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:17.812758923 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:18.018747091 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:18.018954992 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:18.088550091 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:18.088593006 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:18.187154055 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:18.187277079 CEST4434969564.185.227.155192.168.2.3
                                                                            Apr 4, 2023 13:52:18.187438011 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:18.188781023 CEST49695443192.168.2.364.185.227.155
                                                                            Apr 4, 2023 13:52:26.312630892 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:26.344582081 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:26.344722033 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.567596912 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.568522930 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.639710903 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.640378952 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.674274921 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.674839973 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.714050055 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.714086056 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.714106083 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.714127064 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.714202881 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.714240074 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.716227055 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.802834988 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.835237980 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.850012064 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.882025957 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.883647919 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.920599937 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.921473980 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.962785959 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.967406034 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:27.999453068 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:27.999818087 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:28.073338985 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:28.153577089 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:28.166024923 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:28.197840929 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:28.197875023 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:28.200210094 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:28.200337887 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:28.200444937 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:28.200525999 CEST49696587192.168.2.3185.118.171.10
                                                                            Apr 4, 2023 13:52:28.232034922 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:28.232068062 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:28.232192039 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:28.279333115 CEST58749696185.118.171.10192.168.2.3
                                                                            Apr 4, 2023 13:52:28.329461098 CEST49696587192.168.2.3185.118.171.10

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 4, 2023 13:52:16.850574017 CEST6178753192.168.2.38.8.8.8
                                                                            Apr 4, 2023 13:52:16.871001005 CEST53617878.8.8.8192.168.2.3
                                                                            Apr 4, 2023 13:52:16.911077976 CEST5892153192.168.2.38.8.8.8
                                                                            Apr 4, 2023 13:52:16.940558910 CEST53589218.8.8.8192.168.2.3
                                                                            Apr 4, 2023 13:52:26.129409075 CEST6270453192.168.2.38.8.8.8
                                                                            Apr 4, 2023 13:52:26.210777044 CEST53627048.8.8.8192.168.2.3
                                                                            Apr 4, 2023 13:52:26.215101004 CEST4997753192.168.2.38.8.8.8
                                                                            Apr 4, 2023 13:52:26.308320999 CEST53499778.8.8.8192.168.2.3

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Apr 4, 2023 13:52:16.850574017 CEST192.168.2.38.8.8.80x9721Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:16.911077976 CEST192.168.2.38.8.8.80x824fStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:26.129409075 CEST192.168.2.38.8.8.80xf2f9Standard query (0)mail.panservis.rsA (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:26.215101004 CEST192.168.2.38.8.8.80x937aStandard query (0)mail.panservis.rsA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Apr 4, 2023 13:52:16.871001005 CEST8.8.8.8192.168.2.30x9721No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:16.871001005 CEST8.8.8.8192.168.2.30x9721No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:16.871001005 CEST8.8.8.8192.168.2.30x9721No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:16.871001005 CEST8.8.8.8192.168.2.30x9721No error (0)api4.ipify.org173.231.16.75A (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:16.940558910 CEST8.8.8.8192.168.2.30x824fNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:16.940558910 CEST8.8.8.8192.168.2.30x824fNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:16.940558910 CEST8.8.8.8192.168.2.30x824fNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:16.940558910 CEST8.8.8.8192.168.2.30x824fNo error (0)api4.ipify.org173.231.16.75A (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:26.210777044 CEST8.8.8.8192.168.2.30xf2f9No error (0)mail.panservis.rspanservis.rsCNAME (Canonical name)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:26.210777044 CEST8.8.8.8192.168.2.30xf2f9No error (0)panservis.rs185.118.171.10A (IP address)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:26.308320999 CEST8.8.8.8192.168.2.30x937aNo error (0)mail.panservis.rspanservis.rsCNAME (Canonical name)IN (0x0001)false
                                                                            Apr 4, 2023 13:52:26.308320999 CEST8.8.8.8192.168.2.30x937aNo error (0)panservis.rs185.118.171.10A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • api.ipify.org

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.34969564.185.227.155443C:\Users\user\Desktop\of4pojIP5C.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            2023-04-04 11:52:18 UTC0OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                            Host: api.ipify.org
                                                                            Connection: Keep-Alive
                                                                            2023-04-04 11:52:18 UTC0INHTTP/1.1 200 OK
                                                                            Content-Length: 14
                                                                            Content-Type: text/plain
                                                                            Date: Tue, 04 Apr 2023 11:52:18 GMT
                                                                            Vary: Origin
                                                                            Connection: close
                                                                            2023-04-04 11:52:18 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34
                                                                            Data Ascii: 102.129.143.44


                                                                            SMTP Packets

                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                            Apr 4, 2023 13:52:27.567596912 CEST58749696185.118.171.10192.168.2.3220-cp1.astratelekom.com ESMTP Exim 4.96 #2 Tue, 04 Apr 2023 13:52:27 +0200
                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                            220 and/or bulk e-mail.
                                                                            Apr 4, 2023 13:52:27.568522930 CEST49696587192.168.2.3185.118.171.10EHLO 610930
                                                                            Apr 4, 2023 13:52:27.639710903 CEST58749696185.118.171.10192.168.2.3250-cp1.astratelekom.com Hello 610930 [102.129.143.44]
                                                                            250-SIZE 52428800
                                                                            250-8BITMIME
                                                                            250-PIPELINING
                                                                            250-PIPECONNECT
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-STARTTLS
                                                                            250 HELP
                                                                            Apr 4, 2023 13:52:27.640378952 CEST49696587192.168.2.3185.118.171.10STARTTLS
                                                                            Apr 4, 2023 13:52:27.674274921 CEST58749696185.118.171.10192.168.2.3220 TLS go ahead

                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:13:51:55
                                                                            Start date:04/04/2023
                                                                            Path:C:\Users\user\Desktop\of4pojIP5C.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\of4pojIP5C.exe
                                                                            Imagebase:0x20000
                                                                            File size:587776 bytes
                                                                            MD5 hash:B14888DCF6021D0E3D58DCD457715C3B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.300781049.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.308731037.0000000003489000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            General

                                                                            Target ID:5
                                                                            Start time:13:52:13
                                                                            Start date:04/04/2023
                                                                            Path:C:\Users\user\Desktop\of4pojIP5C.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:{path}
                                                                            Imagebase:0x960000
                                                                            File size:587776 bytes
                                                                            MD5 hash:B14888DCF6021D0E3D58DCD457715C3B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.526736644.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.523456023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:12.9%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:24.8%
                                                                              Total number of Nodes:101
                                                                              Total number of Limit Nodes:9
                                                                              execution_graph 15493 6e984c8 15494 6e98510 SetThreadContext 15493->15494 15496 6e9854e 15494->15496 15497 6e98588 15498 6e985d3 ReadProcessMemory 15497->15498 15499 6e98616 15498->15499 15416 4940cd0 15417 4940d12 15416->15417 15419 4940d19 15416->15419 15418 4940d6a CallWindowProcW 15417->15418 15417->15419 15418->15419 15500 6e98700 15501 6e9874b WriteProcessMemory 15500->15501 15503 6e9879c 15501->15503 15420 6e95525 15424 6e95c00 15420->15424 15429 6e95c10 15420->15429 15421 6e95531 15425 6e95c2d 15424->15425 15434 6e95f49 15425->15434 15441 6e95f58 15425->15441 15426 6e95c50 15426->15421 15430 6e95c2d 15429->15430 15432 6e95f49 CreateProcessW 15430->15432 15433 6e95f58 CreateProcessW 15430->15433 15431 6e95c50 15431->15421 15432->15431 15433->15431 15436 6e95f7f 15434->15436 15435 6e9602b 15435->15426 15436->15435 15448 6e96612 15436->15448 15452 6e96870 15436->15452 15456 6e96620 15436->15456 15460 6e9684e 15436->15460 15442 6e95f7f 15441->15442 15443 6e9602b 15442->15443 15444 6e9684e CreateProcessW 15442->15444 15445 6e96620 CreateProcessW 15442->15445 15446 6e96870 CreateProcessW 15442->15446 15447 6e96612 CreateProcessW 15442->15447 15443->15426 15444->15442 15445->15442 15446->15442 15447->15442 15450 6e96653 15448->15450 15451 6e96848 15450->15451 15464 6e96210 15450->15464 15451->15436 15453 6e96683 15452->15453 15454 6e96210 CreateProcessW 15453->15454 15455 6e96848 15453->15455 15454->15453 15455->15436 15457 6e96653 15456->15457 15458 6e96210 CreateProcessW 15457->15458 15459 6e96848 15457->15459 15458->15457 15459->15436 15461 6e96683 15460->15461 15462 6e96210 CreateProcessW 15461->15462 15463 6e96848 15461->15463 15462->15461 15463->15436 15465 6e98158 CreateProcessW 15464->15465 15467 6e982c0 15465->15467 15468 6e988b8 15469 6e988f9 ResumeThread 15468->15469 15470 6e98926 15469->15470 15504 6e98658 15505 6e9869b VirtualAllocEx 15504->15505 15506 6e986d2 15505->15506 15511 6e98958 15512 6e98ae3 15511->15512 15514 6e9897e 15511->15514 15514->15512 15515 6e962f0 15514->15515 15516 6e98bd8 PostMessageW 15515->15516 15517 6e98c44 15516->15517 15517->15514 15471 6e90f3b 15475 6e92688 15471->15475 15478 6e92690 15471->15478 15472 6e90f4c 15476 6e926d8 VirtualProtect 15475->15476 15477 6e92712 15476->15477 15477->15472 15479 6e926d8 VirtualProtect 15478->15479 15480 6e92712 15479->15480 15480->15472 15518 4942ce0 15519 4942d0b 15518->15519 15521 4942d49 15519->15521 15523 4943260 15519->15523 15520 4942d41 15524 4943286 15523->15524 15525 49432bb 15524->15525 15527 49434c8 15524->15527 15525->15520 15528 49434d7 15527->15528 15529 49434dd 15527->15529 15531 49435e0 15528->15531 15529->15525 15535 4943610 15531->15535 15539 4943603 15531->15539 15537 4943637 15535->15537 15536 4943714 15536->15536 15537->15536 15543 4941e9c 15537->15543 15541 4943637 15539->15541 15540 4943714 15540->15540 15541->15540 15542 4941e9c CreateActCtxA 15541->15542 15542->15540 15544 4943e98 CreateActCtxA 15543->15544 15546 4943f5b 15544->15546 15547 6e9045f 15549 6e92688 VirtualProtect 15547->15549 15550 6e92690 VirtualProtect 15547->15550 15548 6e90470 15549->15548 15550->15548 15551 6e908d3 15552 6e908d6 15551->15552 15553 6e9089d 15551->15553 15553->15551 15554 6e92688 VirtualProtect 15553->15554 15555 6e92690 VirtualProtect 15553->15555 15554->15553 15555->15553

                                                                              Executed Functions

                                                                              Function 06E96870 Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 118 6e96870-6e96877 119 6e96879-6e9688e 118->119 120 6e96890-6e9689a 118->120 121 6e968a4-6e968ba 119->121 120->121 122 6e9681a-6e9683f 121->122 123 6e96848-6e9789e 122->123 124 6e96841 122->124 124->123 126 6e9672b-6e96762 124->126 127 6e966ff-6e96726 124->127 128 6e966c1-6e966cb 124->128 129 6e96683 124->129 130 6e96767-6e967e5 call 6e96210 124->130 131 6e9668d-6e966b2 126->131 127->131 137 6e966d6-6e966fd 128->137 129->131 142 6e967ea-6e9680a 130->142 135 6e966bb-6e966bc 131->135 136 6e966b4 131->136 135->130 136->126 136->127 136->128 136->129 136->130 136->135 137->131 143 6e96b4e-6e96c18 call 6e93340 142->143 144 6e96810 142->144 144->122
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4cF1$4cF1
                                                                              • API String ID: 0-3576286609
                                                                              • Opcode ID: 07cdac6f2d7403cbbdbec2bda41258dc45436762c86609cba45fc8f84ad16a18
                                                                              • Instruction ID: 239757b1b2305f7eff584ee7ff198e0de8065999975b2ef7d03237c788a6c51e
                                                                              • Opcode Fuzzy Hash: 07cdac6f2d7403cbbdbec2bda41258dc45436762c86609cba45fc8f84ad16a18
                                                                              • Instruction Fuzzy Hash: CE510570D5122A9FDB64CF65C944BD9B7B2BF89300F1092EAD509A7250E770AAC5CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E93C10 Relevance: .2, Instructions: 248COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 13e2debcc5776dfa8d0ccac1af4557863b604cffd6069a52789529697018604a
                                                                              • Instruction ID: 64f8b10cbc12e72af289e37bb0c72b1613accbb1431a604826403745af5d30da
                                                                              • Opcode Fuzzy Hash: 13e2debcc5776dfa8d0ccac1af4557863b604cffd6069a52789529697018604a
                                                                              • Instruction Fuzzy Hash: 04A121B4E046598FCF44CFAAC5856DEFBF2BF88300F24912AD805AB354D7359942CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E93C01 Relevance: .2, Instructions: 243COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5f6d5ea72f140f4675ecc52df836e3c0f353caa46937fa3520acea3f27bfff80
                                                                              • Instruction ID: 22751f33b358c19639baba47d85fcb8ead8abb2cde312ce88c1793fbbd387588
                                                                              • Opcode Fuzzy Hash: 5f6d5ea72f140f4675ecc52df836e3c0f353caa46937fa3520acea3f27bfff80
                                                                              • Instruction Fuzzy Hash: B8A122B4E046598FCF44CFAAC58159EFBF2BF88300F24912AC805AB354D7359A42CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E96620 Relevance: .2, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 89e7eb09c662284cf6884a336b85009a901711fc01c8c33d2069cbdadf8e219c
                                                                              • Instruction ID: bac6ccef673ab211412f0df5e2f9f7d57b840bbd5f3af6144058aaa9765e5f92
                                                                              • Opcode Fuzzy Hash: 89e7eb09c662284cf6884a336b85009a901711fc01c8c33d2069cbdadf8e219c
                                                                              • Instruction Fuzzy Hash: 16811575E1122A8BDB64DF65CC48BE9BBB2EF89300F1081EAD509A7250EB745EC5CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E95F58 Relevance: .2, Instructions: 178COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3d1d9710bffd7f27cfe55495adca68a4590a67208271cfa7477d6246d27b93aa
                                                                              • Instruction ID: 469da72482bd3fb4e706807f9e10ee971d4cc6a1e72435d13f2b7417d3122ef9
                                                                              • Opcode Fuzzy Hash: 3d1d9710bffd7f27cfe55495adca68a4590a67208271cfa7477d6246d27b93aa
                                                                              • Instruction Fuzzy Hash: E7613774D06209DFEF44CFAAE5806DDFBB2EF8A354F24A42AD009B7254D7348945CB64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E95F49 Relevance: .2, Instructions: 169COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0375b46b14fa420a6e4591546d16c23a655dfee1cc303538330947cf1c26d510
                                                                              • Instruction ID: 0b3ff5b310a0f3c56d0a1144d797e7b3b18db50c2992516051a21a6e558c7432
                                                                              • Opcode Fuzzy Hash: 0375b46b14fa420a6e4591546d16c23a655dfee1cc303538330947cf1c26d510
                                                                              • Instruction Fuzzy Hash: 10611574E06209DFEF44CFA9E5806DDFBF2EF8A354F24A02AD409A7254E7348945CB64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E96612 Relevance: .1, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d426a1656f55841d55168225919ceaadb6c693f2e1fc857c45caa7bdbfdfc51a
                                                                              • Instruction ID: 4721cb4342d6061d3c5b8bb6e1aec91c51d2935027db3fe855b809f55928d02c
                                                                              • Opcode Fuzzy Hash: d426a1656f55841d55168225919ceaadb6c693f2e1fc857c45caa7bdbfdfc51a
                                                                              • Instruction Fuzzy Hash: 3A515A70E1162A8BDB68CF65CD447DABBB2FF89300F1082EAD509A7254EB705AC1CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E90040 Relevance: .1, Instructions: 126COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61a379bac39dab593ec7d5da4cb96d7e37886e035220f8bde1dada06d3f14e08
                                                                              • Instruction ID: 9a9b445531e274a46d0174638a29f17c6b06d0bd0e759d663b81e0bc96c413eb
                                                                              • Opcode Fuzzy Hash: 61a379bac39dab593ec7d5da4cb96d7e37886e035220f8bde1dada06d3f14e08
                                                                              • Instruction Fuzzy Hash: F4512BB1E116188BDB58CF6B9D4469EFAF3AFC8300F14C1BA950DA6264DB301A858F51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E90023 Relevance: .1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 758ec4ab99f2cd5f0463cf7df026d45a0b9416d10769f78c2d144bc31ded0de9
                                                                              • Instruction ID: c75475e864e364fdb1c0b81a78fcbc2abc26fc32c7f45ab7267c768e300c9f0e
                                                                              • Opcode Fuzzy Hash: 758ec4ab99f2cd5f0463cf7df026d45a0b9416d10769f78c2d144bc31ded0de9
                                                                              • Instruction Fuzzy Hash: 8F514AB1E056598BEB58CF6B8D5479EFBF3AFC9300F14C1BA850CA6265EB3409858F11
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E9684E Relevance: .1, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 998d077f935505ada74cbd6ccc85c197b10424faa4fdb2ac74ea9735d5d47394
                                                                              • Instruction ID: fc4f27ddf6946f6ce2110d71a37543e36932152eead6fe7f250bd62a38203826
                                                                              • Opcode Fuzzy Hash: 998d077f935505ada74cbd6ccc85c197b10424faa4fdb2ac74ea9735d5d47394
                                                                              • Instruction Fuzzy Hash: 33512770E5122A8BDB64CF65CD44BD9B7B2BF99300F1092EAD509A7254E770AAC1CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E99A60 Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3e614f9cfecf168ee39d74dc69a92e9e86fb8da1dd206dc86faa27cc6808dad1
                                                                              • Instruction ID: 01fe9b50d3cf69fed207525c9a44210141cbcda0273abc44de37e751d5369685
                                                                              • Opcode Fuzzy Hash: 3e614f9cfecf168ee39d74dc69a92e9e86fb8da1dd206dc86faa27cc6808dad1
                                                                              • Instruction Fuzzy Hash: 2D111870D052588FDF148FAAC8187EEBAF1AF4E315F18A069D451B3291C7B88944CF78
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E96210 Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 160 6e96210-6e981e3 163 6e981ee-6e981f5 160->163 164 6e981e5-6e981eb 160->164 165 6e98200-6e98216 163->165 166 6e981f7-6e981fd 163->166 164->163 167 6e98218-6e9821e 165->167 168 6e98221-6e982be CreateProcessW 165->168 166->165 167->168 170 6e982c0-6e982c6 168->170 171 6e982c7-6e9833b 168->171 170->171 179 6e9834d-6e98354 171->179 180 6e9833d-6e98343 171->180 181 6e9836b 179->181 182 6e98356-6e98365 179->182 180->179 184 6e9836c 181->184 182->181 184->184
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 06E982AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 3e8f522da081ee4fdb7a74440610bc907e0b48297c999755f71310e2e58a7b4c
                                                                              • Instruction ID: 608d902b69bccdd09920280a4c4fff4398814495398402dd86dbc3bad1273ff9
                                                                              • Opcode Fuzzy Hash: 3e8f522da081ee4fdb7a74440610bc907e0b48297c999755f71310e2e58a7b4c
                                                                              • Instruction Fuzzy Hash: FB51E671D007199FDB64CF99C880BDEBBB6BF49314F14849AE808A7250DB719A89CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E9814C Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 185 6e9814c-6e981e3 187 6e981ee-6e981f5 185->187 188 6e981e5-6e981eb 185->188 189 6e98200-6e98216 187->189 190 6e981f7-6e981fd 187->190 188->187 191 6e98218-6e9821e 189->191 192 6e98221-6e982be CreateProcessW 189->192 190->189 191->192 194 6e982c0-6e982c6 192->194 195 6e982c7-6e9833b 192->195 194->195 203 6e9834d-6e98354 195->203 204 6e9833d-6e98343 195->204 205 6e9836b 203->205 206 6e98356-6e98365 203->206 204->203 208 6e9836c 205->208 206->205 208->208
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 06E982AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 3359cfeb3976bfbf5d68a660d66edfc065f06ab1a493627f59beb154e8ab2a01
                                                                              • Instruction ID: 95d9466c13dd84886d56724ba73877fed0e7717681137a5cb346eaf4478aded1
                                                                              • Opcode Fuzzy Hash: 3359cfeb3976bfbf5d68a660d66edfc065f06ab1a493627f59beb154e8ab2a01
                                                                              • Instruction Fuzzy Hash: 3051E671D00719DFDB64CF99C880BDEBBB2BF49314F14849AE848A7260DB719A89CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04943E8C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 209 4943e8c-4943e91 210 4943e23-4943e24 call 4943e29 209->210 211 4943e93-4943f13 209->211 210->209 213 4943f1b-4943f59 CreateActCtxA 211->213 214 4943f62-4943fbc 213->214 215 4943f5b-4943f61 213->215 222 4943fbe-4943fc1 214->222 223 4943fcb-4943fcf 214->223 215->214 222->223 224 4943fe0 223->224 225 4943fd1-4943fdd 223->225 227 4943fe1 224->227 225->224 227->227
                                                                              APIs
                                                                              • CreateActCtxA.KERNEL32(?), ref: 04943F49
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.313745137.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_4940000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 52321fa670a590fd1b4a637f2b800ab78a7246eb4ed23d50965c06144a113be1
                                                                              • Instruction ID: 6e7ebbfce5688b3e21d94158138981e470e20223eb421fbda074434eb175763d
                                                                              • Opcode Fuzzy Hash: 52321fa670a590fd1b4a637f2b800ab78a7246eb4ed23d50965c06144a113be1
                                                                              • Instruction Fuzzy Hash: AB41F5B1D00619CFDB24CFA9C884BDDBBF6BF98304F248169D408AB255DB716986CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04941E9C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 228 4941e9c-4943f59 CreateActCtxA 231 4943f62-4943fbc 228->231 232 4943f5b-4943f61 228->232 239 4943fbe-4943fc1 231->239 240 4943fcb-4943fcf 231->240 232->231 239->240 241 4943fe0 240->241 242 4943fd1-4943fdd 240->242 244 4943fe1 241->244 242->241 244->244
                                                                              APIs
                                                                              • CreateActCtxA.KERNEL32(?), ref: 04943F49
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.313745137.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_4940000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 31862ade13f24ebb11bac140f4aa7502290354f090b03dcb927066f922fa3552
                                                                              • Instruction ID: dbe1504f5d785399bff33737ee91c5c494daf3ca31a78071006f7360cd564d74
                                                                              • Opcode Fuzzy Hash: 31862ade13f24ebb11bac140f4aa7502290354f090b03dcb927066f922fa3552
                                                                              • Instruction Fuzzy Hash: 7D41D2B1D0071DCFDB24DFA9C884B9EBBB5BF88304F248169D409AB255DB716985CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04940CD0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 245 4940cd0-4940d0c 246 4940d12-4940d17 245->246 247 4940dbc-4940ddc 245->247 248 4940d19-4940d50 246->248 249 4940d6a-4940da2 CallWindowProcW 246->249 253 4940ddf-4940dec 247->253 255 4940d52-4940d58 248->255 256 4940d59-4940d68 248->256 251 4940da4-4940daa 249->251 252 4940dab-4940dba 249->252 251->252 252->253 255->256 256->253
                                                                              APIs
                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04940D91
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.313745137.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_4940000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: CallProcWindow
                                                                              • String ID:
                                                                              • API String ID: 2714655100-0
                                                                              • Opcode ID: d48a7717b872b696e33321ac4704fad27cc9e9bc811e05fefe1bb0bd30f8c110
                                                                              • Instruction ID: 3222dd4d8d67185a3b7ffdab5454da6771b0ef890ce846eabe5bf0b863bf0189
                                                                              • Opcode Fuzzy Hash: d48a7717b872b696e33321ac4704fad27cc9e9bc811e05fefe1bb0bd30f8c110
                                                                              • Instruction Fuzzy Hash: 3B410AB5A00305CFDB14CF99C848A9ABBF5FF88314F24C459D519AB325D775A845CFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E98700 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 259 6e98700-6e98751 261 6e98761-6e9879a WriteProcessMemory 259->261 262 6e98753-6e9875f 259->262 263 6e9879c-6e987a2 261->263 264 6e987a3-6e987c4 261->264 262->261 263->264
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E9878D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: a4301c898b5df1764ec8531114f455500d7a3161d42c1f37be226b7d8fbd3c1d
                                                                              • Instruction ID: c8242ae02f56d7acf3b81eca4973208376ea665a044ed7099f7e772bca7828a9
                                                                              • Opcode Fuzzy Hash: a4301c898b5df1764ec8531114f455500d7a3161d42c1f37be226b7d8fbd3c1d
                                                                              • Instruction Fuzzy Hash: CC2103B5A003099FCB50CF9AD885BDEBBF4FF48314F10842AE818A3250D778A944CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E986F8 Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 266 6e986f8-6e98751 268 6e98761-6e9879a WriteProcessMemory 266->268 269 6e98753-6e9875f 266->269 270 6e9879c-6e987a2 268->270 271 6e987a3-6e987c4 268->271 269->268 270->271
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E9878D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: c36047c7e596e58bd58a9b630a278356afc60bfa7eea696ed352dad399c9c7a0
                                                                              • Instruction ID: e7feca71f5e7a786fa3906a0885e225ee88da6d5cc0d455901841bc2060cf575
                                                                              • Opcode Fuzzy Hash: c36047c7e596e58bd58a9b630a278356afc60bfa7eea696ed352dad399c9c7a0
                                                                              • Instruction Fuzzy Hash: B02113B5A002498FCB40CFA9D884BDEBBF1BB08314F14842AE818E7250D778A940CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E98580 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 273 6e98580-6e98614 ReadProcessMemory 275 6e9861d-6e9863e 273->275 276 6e98616-6e9861c 273->276 276->275
                                                                              APIs
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E98607
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead
                                                                              • String ID:
                                                                              • API String ID: 1726664587-0
                                                                              • Opcode ID: 2adc733fd640accf8dbef9ac405c5f3dc756d1a21a2b932828b1a9a76d9d2c5b
                                                                              • Instruction ID: ccece0ea135c986e4a2db3c4dcd7b5204ab6cb4d84a539c5158ed13a0735eb47
                                                                              • Opcode Fuzzy Hash: 2adc733fd640accf8dbef9ac405c5f3dc756d1a21a2b932828b1a9a76d9d2c5b
                                                                              • Instruction Fuzzy Hash: 1421F0B5D00249DFCB10CF9AD880ADEBBF5BF08314F50842AE958A7251D378A955CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E98588 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 278 6e98588-6e98614 ReadProcessMemory 280 6e9861d-6e9863e 278->280 281 6e98616-6e9861c 278->281 281->280
                                                                              APIs
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E98607
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead
                                                                              • String ID:
                                                                              • API String ID: 1726664587-0
                                                                              • Opcode ID: e9557794168b635946d806f24a1c997967982895eb96b1f33ba1dd09a9aa802e
                                                                              • Instruction ID: 4055cb5ea190f307e33c7b7817dd294c93d6b9082d4b20eb6abc0d6de09179ef
                                                                              • Opcode Fuzzy Hash: e9557794168b635946d806f24a1c997967982895eb96b1f33ba1dd09a9aa802e
                                                                              • Instruction Fuzzy Hash: 5621EFB5900349DFCB10CF9AD884ADEBBF5FF48324F50842AE918A7251D378A944CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E92688 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 283 6e92688-6e92710 VirtualProtect 285 6e92719-6e9273a 283->285 286 6e92712-6e92718 283->286 286->285
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 06E92703
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: aa2ae19f84a4fbfc7f3623ca264c0673053dead8a0b8b1ab82bbe550f826e9cd
                                                                              • Instruction ID: 2014b8c388c2d1915dd6d9e62043d9dd42c9974fdf49bdb1651581ee08d2c10e
                                                                              • Opcode Fuzzy Hash: aa2ae19f84a4fbfc7f3623ca264c0673053dead8a0b8b1ab82bbe550f826e9cd
                                                                              • Instruction Fuzzy Hash: A52124B5D002099FDB50CF9AC884BDEBBF4FF48324F10842AE458A7250D378AA45CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E984C8 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 06E9853F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThread
                                                                              • String ID:
                                                                              • API String ID: 1591575202-0
                                                                              • Opcode ID: cb3283d982f3c2a5df99890840c4e03d5774307e347ca3548e569f0cdafccbf8
                                                                              • Instruction ID: 13a4a44a6e9834477e9e386b9823eba43735a277ca9cb1929bfcb53b08737966
                                                                              • Opcode Fuzzy Hash: cb3283d982f3c2a5df99890840c4e03d5774307e347ca3548e569f0cdafccbf8
                                                                              • Instruction Fuzzy Hash: 1F2106B1D006199FCB50CF9AD9857DEFBF8BF48324F54852AD418A3250D778A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E984C1 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 288 6e984c1-6e98514 290 6e98520-6e9854c SetThreadContext 288->290 291 6e98516-6e9851e 288->291 292 6e9854e-6e98554 290->292 293 6e98555-6e98576 290->293 291->290 292->293
                                                                              APIs
                                                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 06E9853F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThread
                                                                              • String ID:
                                                                              • API String ID: 1591575202-0
                                                                              • Opcode ID: 8cfe18b104009a75857980e8ab5d5c013fdf446ab50b236e34053d6183ebeee9
                                                                              • Instruction ID: 848fab96bab7751c95bf5b26084357239c917227f97d19156f581283035fd2e5
                                                                              • Opcode Fuzzy Hash: 8cfe18b104009a75857980e8ab5d5c013fdf446ab50b236e34053d6183ebeee9
                                                                              • Instruction Fuzzy Hash: B62136B5E006198FCB40CFAAD9847EEFBB4BB08314F54812AD418E3250D778A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E92690 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 06E92703
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: c6ffcc60d338fac9ca374d84d3ee60b2efb60be7214225e7a138bd98a53e2780
                                                                              • Instruction ID: 9c335c76c4e64b4e005a83da1ed960a4cb2eaeab46acac67a472c673b6bc581b
                                                                              • Opcode Fuzzy Hash: c6ffcc60d338fac9ca374d84d3ee60b2efb60be7214225e7a138bd98a53e2780
                                                                              • Instruction Fuzzy Hash: 9E2103B59002099FCB10CF9AC884BDEBBF4FF48324F10842AE558A7250D378AA45CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E98650 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E986C3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 27e7e2413766825ece82564784b3d222a7e60b7d7bd30ac61c90ccb452eeb5e2
                                                                              • Instruction ID: 3204faa542c3d8114072919cd3d6b7a8750b67b6e307baa5cbdfebe20f5aba5c
                                                                              • Opcode Fuzzy Hash: 27e7e2413766825ece82564784b3d222a7e60b7d7bd30ac61c90ccb452eeb5e2
                                                                              • Instruction Fuzzy Hash: 5A1132B9900249CFCB10CF9AD884BDEBFF5FB48324F208819E528A7260C335A540CFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E98658 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E986C3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 165adc38ea4d8dd318bffa2fbd1708f6671f27ccd2d487dbaa9c785544848d99
                                                                              • Instruction ID: 11fd554303c5c543498ab0c14831fcf41b1a1c36b2ae7ac575fd413f564ae85f
                                                                              • Opcode Fuzzy Hash: 165adc38ea4d8dd318bffa2fbd1708f6671f27ccd2d487dbaa9c785544848d99
                                                                              • Instruction Fuzzy Hash: D011D2B59002499FCB50CF9AD984BDFBBF4EB48324F148419E519A7260C775A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E962F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06E98C35
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost
                                                                              • String ID:
                                                                              • API String ID: 410705778-0
                                                                              • Opcode ID: c70ea0e24816e2fb34f492ff52c5f15632f7706cfae037470a2d80b027423573
                                                                              • Instruction ID: 8273e20b18b4fa7ed69901322dc3cadb07a6d2fdaee72584390b8a7ecea2b06f
                                                                              • Opcode Fuzzy Hash: c70ea0e24816e2fb34f492ff52c5f15632f7706cfae037470a2d80b027423573
                                                                              • Instruction Fuzzy Hash: 9D1106B5800348DFDB50CF9AD984BDFBBF8EB58324F10881AE515A7610D375A984CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E98BD2 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06E98C35
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost
                                                                              • String ID:
                                                                              • API String ID: 410705778-0
                                                                              • Opcode ID: 4bec7c6c622b5a15b8d27b51f4049743d510450f3a4da089c5d1dac16b2f74e4
                                                                              • Instruction ID: 7d148d1c2af769e3faba8230afd850a4796a789153c0f745d8a386632c209f28
                                                                              • Opcode Fuzzy Hash: 4bec7c6c622b5a15b8d27b51f4049743d510450f3a4da089c5d1dac16b2f74e4
                                                                              • Instruction Fuzzy Hash: DB1130B9800349CFDB10CF99D984BDEBBF4FB08324F20881AD555A7210C378A985CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E988B8 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: dd0382fca65ab1fd550848ee86a610266d0cef81f39d6fbf384fcccd7a4942c9
                                                                              • Instruction ID: 0a27fad6bc3389cdf2bcc6eaeff8c780b4c375efcf4e2e92ec0535f851be7141
                                                                              • Opcode Fuzzy Hash: dd0382fca65ab1fd550848ee86a610266d0cef81f39d6fbf384fcccd7a4942c9
                                                                              • Instruction Fuzzy Hash: D21112B5900208CFCB60CF9AD984BDFBBF8EF48328F20841AD518A7250C775A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E988B0 Relevance: 1.5, APIs: 1, Instructions: 41threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: c0ff4d1f1aa977248be0d94dc5144d55705b0d7680db2b0594155c4408a3a0b1
                                                                              • Instruction ID: 13acb1c247050cc2d8c536c9318f51ac62e9e61901ab004ee276267ccd5556c3
                                                                              • Opcode Fuzzy Hash: c0ff4d1f1aa977248be0d94dc5144d55705b0d7680db2b0594155c4408a3a0b1
                                                                              • Instruction Fuzzy Hash: 031142B5D00648CFDB50CFAAD5807DEBBF0EB08328F24845AD558A7250C774A984CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 06E943E8 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kcL
                                                                              • API String ID: 0-1583812712
                                                                              • Opcode ID: c14b2d649810d52924312713294fda753cf5937a69f08e755b6c11401c857f9e
                                                                              • Instruction ID: 4f7c413af8007e8a792c44f9fd8abdccbaeb098fe6128a05a92ee93a844448a6
                                                                              • Opcode Fuzzy Hash: c14b2d649810d52924312713294fda753cf5937a69f08e755b6c11401c857f9e
                                                                              • Instruction Fuzzy Hash: 2C21E371E116199BDB58CFABD94069EFAF7AFC8200F14C03AD508A7254DB305A468BA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E943D8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kcL
                                                                              • API String ID: 0-1583812712
                                                                              • Opcode ID: b8d720a23860bc3b418ddbe4d76c3ab2a1f7df3bb7f54e23f381dad47e260e73
                                                                              • Instruction ID: 9167d71fc59b6a722bcfee0fecb677010158e8cea1b80d922e9ca762874c83c5
                                                                              • Opcode Fuzzy Hash: b8d720a23860bc3b418ddbe4d76c3ab2a1f7df3bb7f54e23f381dad47e260e73
                                                                              • Instruction Fuzzy Hash: B1213DB0E116598BDB48CF6AD94029EFBF3AFC9300F14C07AD508A7265DB304942CF55
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E9A260 Relevance: .4, Instructions: 362COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 004d45d7bfb204154f7396cecf9e52fa5a0f07145bbe93ba152b060c1445f8ab
                                                                              • Instruction ID: d9ad84b1638d4faf9c941ad02bb41e3c749a032136797c11764c82f6f2e244d2
                                                                              • Opcode Fuzzy Hash: 004d45d7bfb204154f7396cecf9e52fa5a0f07145bbe93ba152b060c1445f8ab
                                                                              • Instruction Fuzzy Hash: E6D17F71B007048FEB99DB7AC45076EB7EBAF89704F14846DE0458B292DF35E906CB61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E940B0 Relevance: .2, Instructions: 192COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6da87369cdd2e6cff302fa3760b8c4866a2f67d3e41f25c7e1137c749958f0bb
                                                                              • Instruction ID: b8d9d2f79d56efb66c5a10120b62fbdaafaee345d48f096cadff9e50905d9ec0
                                                                              • Opcode Fuzzy Hash: 6da87369cdd2e6cff302fa3760b8c4866a2f67d3e41f25c7e1137c749958f0bb
                                                                              • Instruction Fuzzy Hash: DB714BB4E0520ACFDF44CFAAC5415EEFBF2AF89310F14E425D414A7294E6349A468FA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E940C0 Relevance: .2, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1fb874422ea35fc048673c4e818c568fd72177b88a33e6b04411ccf9514ae864
                                                                              • Instruction ID: 9c8a90a0a093f959693090d3b1b91f7ae31ed6bf21fda4c20e4f0ea1f1a264e2
                                                                              • Opcode Fuzzy Hash: 1fb874422ea35fc048673c4e818c568fd72177b88a33e6b04411ccf9514ae864
                                                                              • Instruction Fuzzy Hash: 95713AB4E0520ACFDF44CFEAC5415EEFBF2AF89310F14E425D415AB294E6349A468FA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E95C70 Relevance: .2, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c053df603512a8e450f8cfb449b917448fd89049f1eec847fe8fb04397264419
                                                                              • Instruction ID: 98aafbf18a49b952e1db5066a43262761a47ed702a5a2b612c45e76339b3a3ce
                                                                              • Opcode Fuzzy Hash: c053df603512a8e450f8cfb449b917448fd89049f1eec847fe8fb04397264419
                                                                              • Instruction Fuzzy Hash: 8A71D874D0620ACF9F45CFA5D8415AEFBB2EF89300F20A42AD415BB354D7349942CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E95C62 Relevance: .2, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9d14762c374a4a26b45d8071d52ef1c19eecab1b9a8833095aac4df9cc78b25c
                                                                              • Instruction ID: f134d1a54c9412d06c52edcd88873d4a5470faf8bace674d2382f396a7b03738
                                                                              • Opcode Fuzzy Hash: 9d14762c374a4a26b45d8071d52ef1c19eecab1b9a8833095aac4df9cc78b25c
                                                                              • Instruction Fuzzy Hash: 3B71E774E0620ACFDF45CFA9D8455AEFBB2EF89300F60A42AD415BB354D6349942CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E93340 Relevance: .1, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ff5b7385de24dd68a78911cdd441234d73dde161e65d3f56fd3742bc32e48fa0
                                                                              • Instruction ID: 8d5d1f39b0c70c1cacf64d5cf8539f372b2c1ad0e796f5faaaa24e13bcb314bc
                                                                              • Opcode Fuzzy Hash: ff5b7385de24dd68a78911cdd441234d73dde161e65d3f56fd3742bc32e48fa0
                                                                              • Instruction Fuzzy Hash: 8351F674E112198FDB54CF6AC9806AEFBB2BF89304F24C1A9D418A7355DB309E41CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E93327 Relevance: .1, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 97af9e05b9aff338a3991f0e17aae3a8d8ca246b19c76ad40158591d4fe7c1cb
                                                                              • Instruction ID: 967b70bdb8ee1c906267a1f7514d2dfbb0b3a5338a9ec94da4606c3e0c1fe01a
                                                                              • Opcode Fuzzy Hash: 97af9e05b9aff338a3991f0e17aae3a8d8ca246b19c76ad40158591d4fe7c1cb
                                                                              • Instruction Fuzzy Hash: 2151F6B4E152198FDB54CF69C9806AEFBF2BF89304F24C1A9D408AB255DB309E45CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E93330 Relevance: .1, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bbef5ff914225bb41f35cf259b03677c8add0e3252c158122bef0a5ab1e17f5b
                                                                              • Instruction ID: 41360be47976dcef27f3af8e40b7d1ac01bd64ed12a4a5de8e582c36ff19f69b
                                                                              • Opcode Fuzzy Hash: bbef5ff914225bb41f35cf259b03677c8add0e3252c158122bef0a5ab1e17f5b
                                                                              • Instruction Fuzzy Hash: 7051E5B4E152198FDB54CF69C9806AEFBB2BF89304F24C1A9D408AB255DB309E45CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E9330F Relevance: .1, Instructions: 134COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7e2fe9cc0177e1cdca23ab800ea0a4117547d6b9ac5ac3491125b71e13f46cb8
                                                                              • Instruction ID: b6eb47fb82bffc54998d897f9f1e7ac0ad258af47bce282cf2616a5c5cfc2443
                                                                              • Opcode Fuzzy Hash: 7e2fe9cc0177e1cdca23ab800ea0a4117547d6b9ac5ac3491125b71e13f46cb8
                                                                              • Instruction Fuzzy Hash: 1851E674E152198FDB54CF69C9806AEFBF2BF89304F24C1A9D418A7255DB309E41CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E92CAF Relevance: .1, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 227a10c92df5578f11cadbcad01dc928d7620a94fd76e239ea270f0e459387e8
                                                                              • Instruction ID: e31806306a531c990e141e9034b4c2dfb5cd8d916eaaa861c6519849933231f1
                                                                              • Opcode Fuzzy Hash: 227a10c92df5578f11cadbcad01dc928d7620a94fd76e239ea270f0e459387e8
                                                                              • Instruction Fuzzy Hash: 42317C70E157489FDB08CF7AD95169EBBB3AF8A300F19C0AAD508AB265D6304A45CB61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E92C89 Relevance: .1, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d8d5646aa378ac06b7fe5b05049603342aa119bf5382a636baaa394810c53933
                                                                              • Instruction ID: 5338482314d0efda7d09b289432735c0ef3761578ee47c59de9b4b18db3122bc
                                                                              • Opcode Fuzzy Hash: d8d5646aa378ac06b7fe5b05049603342aa119bf5382a636baaa394810c53933
                                                                              • Instruction Fuzzy Hash: 4B319F70E153089FEB48CF6AD94169EBBF3AF89310F14D0AAD508AB3A5D6304A45CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E92CD0 Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5dc43c9375b540cf4207d2e50f685945200414fe241ca988f2bc149227e7a232
                                                                              • Instruction ID: 6dc22a3ec7b08dcddd3f0f56eb3e33e0ae29f00c3afd832c869ff7157e4dabec
                                                                              • Opcode Fuzzy Hash: 5dc43c9375b540cf4207d2e50f685945200414fe241ca988f2bc149227e7a232
                                                                              • Instruction Fuzzy Hash: 0A213670E112189FDF48CFAAD940A9EFBF3AFC9300F14C06AD508AB354D7308A448BA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E92CA7 Relevance: .1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b73248cce53cd040df69233e643149149116775165b5bafa67176d87e32f2c8b
                                                                              • Instruction ID: 787af2fdcaef30508ee3ae40d953ffe28912aa33e9cb04e1e49f8fa554d8bbf4
                                                                              • Opcode Fuzzy Hash: b73248cce53cd040df69233e643149149116775165b5bafa67176d87e32f2c8b
                                                                              • Instruction Fuzzy Hash: 24212E70E116189FDF58CFAAD94069EFBF3AFC9310F14D16A9508AB354D7304A458F51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06E9A708 Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.319024388.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6e90000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 11f51c10a2e8204850201e68da55415d0e3f1f691b01d764aa40f8390a10ac88
                                                                              • Instruction ID: 39cbb75d97dcef28c1e8cb6629b3b89828b2b71a5bf1fb9e079642a59aa4ef94
                                                                              • Opcode Fuzzy Hash: 11f51c10a2e8204850201e68da55415d0e3f1f691b01d764aa40f8390a10ac88
                                                                              • Instruction Fuzzy Hash: 5B115A30D052188EDF548FA9C809BEEBBF1AF4A311F14A07AD001B7294C7788944CF78
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Execution Graph

                                                                              Execution Coverage:13.7%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:2.5%
                                                                              Total number of Nodes:118
                                                                              Total number of Limit Nodes:15
                                                                              execution_graph 29771 1355af0 29772 1355b0e 29771->29772 29775 135497c 29772->29775 29774 1355b45 29777 1357610 LoadLibraryA 29775->29777 29778 1357709 29777->29778 29779 135f6f0 29780 135f751 GetUserNameW 29779->29780 29782 135f83d 29780->29782 29783 6b21a78 29784 6b21a7d 29783->29784 29785 6b21a9b 29784->29785 29789 6b249e0 29784->29789 29794 6b2356c 29784->29794 29798 6b244d8 29784->29798 29790 6b249ea 29789->29790 29791 6b24a0a 29790->29791 29802 69b9eb0 29790->29802 29807 69b9ea0 29790->29807 29791->29784 29795 6b23577 29794->29795 29796 6b246ee 29795->29796 29812 6b26d28 29795->29812 29796->29784 29799 6b2450d 29798->29799 29800 6b246ee 29799->29800 29801 6b26d28 3 API calls 29799->29801 29800->29784 29801->29800 29803 69b9ec5 29802->29803 29804 69ba10c 29803->29804 29805 69ba530 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 29803->29805 29806 69ba540 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 29803->29806 29804->29791 29805->29803 29806->29803 29808 69b9ec5 29807->29808 29809 69ba10c 29808->29809 29810 69ba530 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 29808->29810 29811 69ba540 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 29808->29811 29809->29791 29810->29808 29811->29808 29813 6b26d49 29812->29813 29814 6b26d6d 29813->29814 29816 6b26ed8 29813->29816 29814->29796 29817 6b26ee5 29816->29817 29818 6b26f1e 29817->29818 29820 6b25390 29817->29820 29818->29814 29822 6b2539b 29820->29822 29821 6b26f90 29822->29821 29824 6b253c4 29822->29824 29825 6b253cf 29824->29825 29830 6b253d4 29825->29830 29827 6b26fff 29834 6b2ce78 29827->29834 29828 6b27038 29828->29821 29833 6b253df 29830->29833 29831 6b27734 29831->29827 29832 6b26d28 3 API calls 29832->29831 29833->29831 29833->29832 29836 6b2cea9 29834->29836 29838 6b2cf9a 29834->29838 29835 6b2ceb5 29835->29828 29836->29835 29842 6b2d128 29836->29842 29837 6b2cef5 29845 6b2e4b0 29837->29845 29853 6b2e4a0 29837->29853 29838->29828 29861 6b2d1a0 29842->29861 29843 6b2d132 29843->29837 29846 6b2e4da 29845->29846 29879 6b2e9e0 29846->29879 29847 6b2e558 29848 6b2c4c0 GetModuleHandleW 29847->29848 29850 6b2e581 29847->29850 29849 6b2e5ab 29848->29849 29852 6b2f2a8 CreateWindowExW 29849->29852 29852->29850 29854 6b2e4b0 29853->29854 29859 6b2e9e0 GetModuleHandleW 29854->29859 29855 6b2e558 29856 6b2c4c0 GetModuleHandleW 29855->29856 29858 6b2e581 29855->29858 29857 6b2e5ab 29856->29857 29893 6b2f2a8 29857->29893 29859->29855 29866 6b2c4c0 29861->29866 29864 6b2d1c3 29864->29843 29867 6b2d3a0 GetModuleHandleW 29866->29867 29869 6b2d1b3 29867->29869 29869->29864 29870 6b2d448 29869->29870 29871 6b2c4c0 GetModuleHandleW 29870->29871 29873 6b2d45c 29871->29873 29872 6b2d481 29872->29864 29873->29872 29875 6b2c508 29873->29875 29876 6b2d608 LoadLibraryExW 29875->29876 29878 6b2d681 29876->29878 29878->29872 29880 6b2ea0d 29879->29880 29881 6b2ea8e 29880->29881 29883 6b2eb50 29880->29883 29884 6b2eb65 29883->29884 29885 6b2c4c0 GetModuleHandleW 29884->29885 29886 6b2eb89 29884->29886 29885->29886 29887 6b2c4c0 GetModuleHandleW 29886->29887 29892 6b2ed45 29886->29892 29888 6b2eccb 29887->29888 29889 6b2c4c0 GetModuleHandleW 29888->29889 29888->29892 29890 6b2ed19 29889->29890 29891 6b2c4c0 GetModuleHandleW 29890->29891 29890->29892 29891->29892 29892->29881 29896 6b2c644 29893->29896 29897 6b2f2f8 CreateWindowExW 29896->29897 29899 6b2f41c 29897->29899 29900 6b23758 29901 6b237be 29900->29901 29904 6b23918 29901->29904 29907 6b23498 29904->29907 29908 6b23980 DuplicateHandle 29907->29908 29909 6b2386d 29908->29909 29910 1350448 29911 135044d 29910->29911 29912 135048f 29911->29912 29915 6b22650 29911->29915 29919 6b2263f 29911->29919 29916 6b2265f 29915->29916 29923 6b21e44 29916->29923 29920 6b2265f 29919->29920 29921 6b21e44 3 API calls 29920->29921 29922 6b22680 29921->29922 29922->29911 29924 6b21e4f 29923->29924 29925 6b2356c 3 API calls 29924->29925 29926 6b23fe6 29925->29926

                                                                              Executed Functions

                                                                              Function 0135F6F0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 53 135f6f0-135f74f 54 135f751-135f77c 53->54 55 135f7ba-135f7be 53->55 62 135f7ac 54->62 63 135f77e-135f780 54->63 56 135f7c0-135f7e3 55->56 57 135f7e9-135f7f4 55->57 56->57 59 135f7f6-135f7fe 57->59 60 135f800-135f83b GetUserNameW 57->60 59->60 64 135f844-135f85a 60->64 65 135f83d-135f843 60->65 75 135f7b1-135f7b4 62->75 66 135f7a2-135f7aa 63->66 67 135f782-135f78c 63->67 68 135f870-135f897 64->68 69 135f85c-135f868 64->69 65->64 66->75 72 135f790-135f79e 67->72 73 135f78e 67->73 76 135f8a7 68->76 77 135f899-135f89d 68->77 69->68 72->72 78 135f7a0 72->78 73->72 75->55 81 135f8a8 76->81 77->76 80 135f89f 77->80 78->66 80->76 81->81
                                                                              APIs
                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0135F82B
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.525981881.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_1350000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: b9c1c885f32652604429094e41f85e0f1a77e243ed322632bafcf23913650938
                                                                              • Instruction ID: 170372c2f2da57412b357b139f261382e4a3ba3a9e666c22893a6ec2c88c3481
                                                                              • Opcode Fuzzy Hash: b9c1c885f32652604429094e41f85e0f1a77e243ed322632bafcf23913650938
                                                                              • Instruction Fuzzy Hash: 87513474D102288FDB18CFA9C988B9EFBB9BF48718F158129E815BB354D774A844CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 069BBFC8 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.532343090.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_69b0000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b09f3df4d2ad8e2072f09d641f37a98b12b8b2456f75492e30fdaf0c6d2bc158
                                                                              • Instruction ID: 5a76f9da0c34bbc2ed2a1a68cadb9077a756380b92407af4f01376d74843104c
                                                                              • Opcode Fuzzy Hash: b09f3df4d2ad8e2072f09d641f37a98b12b8b2456f75492e30fdaf0c6d2bc158
                                                                              • Instruction Fuzzy Hash: DD412372E043958FCB00DFBAC8402EABBF6EF89310F19856AE455A7641DB389945CBD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0135F6E4 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 24 135f6e4-135f74f 25 135f751-135f77c 24->25 26 135f7ba-135f7be 24->26 33 135f7ac 25->33 34 135f77e-135f780 25->34 27 135f7c0-135f7e3 26->27 28 135f7e9-135f7f4 26->28 27->28 30 135f7f6-135f7fe 28->30 31 135f800-135f83b GetUserNameW 28->31 30->31 35 135f844-135f85a 31->35 36 135f83d-135f843 31->36 46 135f7b1-135f7b4 33->46 37 135f7a2-135f7aa 34->37 38 135f782-135f78c 34->38 39 135f870-135f897 35->39 40 135f85c-135f868 35->40 36->35 37->46 43 135f790-135f79e 38->43 44 135f78e 38->44 47 135f8a7 39->47 48 135f899-135f89d 39->48 40->39 43->43 49 135f7a0 43->49 44->43 46->26 52 135f8a8 47->52 48->47 51 135f89f 48->51 49->37 51->47 52->52
                                                                              APIs
                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0135F82B
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.525981881.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_1350000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: 2aecb6588050c9d65aa659c3b97b049cf4bce3850008c7ef8883650061abbea3
                                                                              • Instruction ID: d49b6d2716b65d2a1572ddec325c50de614d661d0f9e6816d6b2ca8c2373f788
                                                                              • Opcode Fuzzy Hash: 2aecb6588050c9d65aa659c3b97b049cf4bce3850008c7ef8883650061abbea3
                                                                              • Instruction Fuzzy Hash: FE514575D102288FDB58CFA9C984B9DFBB9BF48718F14812AE815BB394D774A844CF80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06B2C644 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 82 6b2c644-6b2f35e 84 6b2f360-6b2f366 82->84 85 6b2f369-6b2f370 82->85 84->85 86 6b2f372-6b2f378 85->86 87 6b2f37b-6b2f41a CreateWindowExW 85->87 86->87 89 6b2f423-6b2f45b 87->89 90 6b2f41c-6b2f422 87->90 94 6b2f468 89->94 95 6b2f45d-6b2f460 89->95 90->89 95->94
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B2F40A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.532382605.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_6b20000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: db05fd5f8cbd16e47b82785f4d1ff1bb54f2a456a3dbb6008f42aa62586e2db4
                                                                              • Instruction ID: e22f98b7c0c37d057af5c84309454fa3a1e46198c190c13ef106730d3ffcedff
                                                                              • Opcode Fuzzy Hash: db05fd5f8cbd16e47b82785f4d1ff1bb54f2a456a3dbb6008f42aa62586e2db4
                                                                              • Instruction Fuzzy Hash: 8451B0B1D003199FDB14CF9AC984ADEBBF5FF48314F24812AE819AB210D775A985CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0135497C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 96 135497c-1357667 98 1357669-135768e 96->98 99 13576bb-1357707 LoadLibraryA 96->99 98->99 104 1357690-1357692 98->104 102 1357710-1357741 99->102 103 1357709-135770f 99->103 109 1357751 102->109 110 1357743-1357747 102->110 103->102 106 13576b5-13576b8 104->106 107 1357694-135769e 104->107 106->99 111 13576a0 107->111 112 13576a2-13576b1 107->112 115 1357752 109->115 110->109 113 1357749 110->113 111->112 112->112 114 13576b3 112->114 113->109 114->106 115->115
                                                                              APIs
                                                                              • LoadLibraryA.KERNELBASE(?), ref: 013576F7
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.525981881.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_1350000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: f0e8ec89089fa2d7164ff334234bfc849cd010f82b7a6a179716f2fa3fe4c0cb
                                                                              • Instruction ID: 31f9d04a2ee313fcfca6091f626e13a476bec77f9ddbe7d36d9b7f337617dc22
                                                                              • Opcode Fuzzy Hash: f0e8ec89089fa2d7164ff334234bfc849cd010f82b7a6a179716f2fa3fe4c0cb
                                                                              • Instruction Fuzzy Hash: 14417AB0D002188FDB50CFADC984B9EBBF1EB48718F148029E818E7384D7789885CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01357605 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 116 1357605-1357667 118 1357669-135768e 116->118 119 13576bb-1357707 LoadLibraryA 116->119 118->119 124 1357690-1357692 118->124 122 1357710-1357741 119->122 123 1357709-135770f 119->123 129 1357751 122->129 130 1357743-1357747 122->130 123->122 126 13576b5-13576b8 124->126 127 1357694-135769e 124->127 126->119 131 13576a0 127->131 132 13576a2-13576b1 127->132 135 1357752 129->135 130->129 133 1357749 130->133 131->132 132->132 134 13576b3 132->134 133->129 134->126 135->135
                                                                              APIs
                                                                              • LoadLibraryA.KERNELBASE(?), ref: 013576F7
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.525981881.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_1350000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 9d195e24cdea3a12a73d781d068e0f7d082df9c7edcee35045d78fc0ecd8c7a3
                                                                              • Instruction ID: cd75d7e8ce95dbed8325af9fd2b421a397b7693c9d5371d95699dd82440f9f0c
                                                                              • Opcode Fuzzy Hash: 9d195e24cdea3a12a73d781d068e0f7d082df9c7edcee35045d78fc0ecd8c7a3
                                                                              • Instruction Fuzzy Hash: 494168B0D102588FDB50CFADC984B9EBBF1EB48718F148429E814E7380D7789886CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06B23498 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 757 6b23498-6b23a14 DuplicateHandle 759 6b23a16-6b23a1c 757->759 760 6b23a1d-6b23a3a 757->760 759->760
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06B23946,?,?,?,?,?), ref: 06B23A07
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.532382605.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_6b20000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: a0ffe66034858556d2e6dd45c464a53dc30cc32829c852675ed92c3f1e99a512
                                                                              • Instruction ID: fd50da973f58a524681b283d604cd5282333febe4ae1c80790f3e3cdb63418d5
                                                                              • Opcode Fuzzy Hash: a0ffe66034858556d2e6dd45c464a53dc30cc32829c852675ed92c3f1e99a512
                                                                              • Instruction Fuzzy Hash: DC2105B59002199FDB10CF9AD984AEEBBF5EB48310F14845AE914A3310D378A954CFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 069BABF8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 763 69babf8-69bc114 GlobalMemoryStatusEx 766 69bc11d-69bc145 763->766 767 69bc116-69bc11c 763->767 767->766
                                                                              APIs
                                                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,069BC01A), ref: 069BC107
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.532343090.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_69b0000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemoryStatus
                                                                              • String ID:
                                                                              • API String ID: 1890195054-0
                                                                              • Opcode ID: 19d42497bbe8296aae81e3acbd4893458dac2eebe44528b9206dbe7891748845
                                                                              • Instruction ID: bb2ea4cb0a56b49ecfb6b4b977e17fbb78232ae6aa26d998fe4a33afc625a22c
                                                                              • Opcode Fuzzy Hash: 19d42497bbe8296aae81e3acbd4893458dac2eebe44528b9206dbe7891748845
                                                                              • Instruction Fuzzy Hash: C41103B5C006199BCB10DF9AC9447EEFBF4EB48324F14816AE418B7640D378A955CFE5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 069BC098 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 770 69bc098-69bc0de 771 69bc0e6-69bc114 GlobalMemoryStatusEx 770->771 772 69bc11d-69bc145 771->772 773 69bc116-69bc11c 771->773 773->772
                                                                              APIs
                                                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,069BC01A), ref: 069BC107
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.532343090.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_69b0000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemoryStatus
                                                                              • String ID:
                                                                              • API String ID: 1890195054-0
                                                                              • Opcode ID: 831bbebd71635b6fefade5607238323e231eb6a5ceea2ce85e4b246c4882d212
                                                                              • Instruction ID: 578896eedb56e1e5694a0aaf11a393aecc483fa4cf22a0bc718f509bc289ece8
                                                                              • Opcode Fuzzy Hash: 831bbebd71635b6fefade5607238323e231eb6a5ceea2ce85e4b246c4882d212
                                                                              • Instruction Fuzzy Hash: 6A1156B1C0021A8BCB10CF9AC944BDEFBB4AF08320F14811AD414B3240D3786944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06B2C508 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 776 6b2c508-6b2d648 778 6b2d650-6b2d67f LoadLibraryExW 776->778 779 6b2d64a-6b2d64d 776->779 780 6b2d681-6b2d687 778->780 781 6b2d688-6b2d6a5 778->781 779->778 780->781
                                                                              APIs
                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06B2D481,00000800,00000000,00000000), ref: 06B2D672
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.532382605.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_6b20000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: dbb3676a37f0ee5937e1c9895f5a73fd23b96990e6317b014b72bb1fa446f62c
                                                                              • Instruction ID: a5b1a88cf62a176c26a85ce56be94a3d9a7a7a2aa23fde048a94f65c7333a537
                                                                              • Opcode Fuzzy Hash: dbb3676a37f0ee5937e1c9895f5a73fd23b96990e6317b014b72bb1fa446f62c
                                                                              • Instruction Fuzzy Hash: 761126B6D002199FDB10CF9AC884ADEFBF5EF58314F10846EE419A7200C379A945CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06B2C4C0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 784 6b2c4c0-6b2d3e0 786 6b2d3e2-6b2d3e5 784->786 787 6b2d3e8-6b2d413 GetModuleHandleW 784->787 786->787 788 6b2d415-6b2d41b 787->788 789 6b2d41c-6b2d430 787->789 788->789
                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06B2D1B3), ref: 06B2D406
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.532382605.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_6b20000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: d72ac7300d3d3431a7ab0fe907617a78ef17ecc3102e892361ddb080e94a3a5d
                                                                              • Instruction ID: 508da1250bc68068f81561cf239528dbf62e5a4f113c5562e1cf0c330464147c
                                                                              • Opcode Fuzzy Hash: d72ac7300d3d3431a7ab0fe907617a78ef17ecc3102e892361ddb080e94a3a5d
                                                                              • Instruction Fuzzy Hash: 7F1104B5D002198FDB20DF9AC944BDEFBF4EF48214F10845AD429B7200D375A545CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00F9D3EC Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.524323067.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_f9d000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a1741a339c94be9c57531f99abd80388bf0b1dedc710a4c666b2fb930df0bc2f
                                                                              • Instruction ID: 54b61a9b6d574e5b33fcc28385d37c4940e55a2ebf816539f7c2c44a2a96372d
                                                                              • Opcode Fuzzy Hash: a1741a339c94be9c57531f99abd80388bf0b1dedc710a4c666b2fb930df0bc2f
                                                                              • Instruction Fuzzy Hash: 40212876500244DFEF05DF18D9C0B26BF65FB94324F34C569D9090B246C33AE856EBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00F9D4D8 Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.524323067.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_f9d000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 09ff6e37ea2e1d05cb86787970a5e3c4a0008430fdec862d36c3aa2e7328a01f
                                                                              • Instruction ID: 99666c876b43898175f591620f686578e5e159f03634e9d690c235be414cb034
                                                                              • Opcode Fuzzy Hash: 09ff6e37ea2e1d05cb86787970a5e3c4a0008430fdec862d36c3aa2e7328a01f
                                                                              • Instruction Fuzzy Hash: C8212876900244DFEF05DF18D9C0B16BF65FB98328F388569D8050B256C33AD855EBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00FAD030 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.524389268.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_fad000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 347457b3b145a9d423e80be07d0e421259becf648ab7ab85f32766db1a0e40dc
                                                                              • Instruction ID: bf788a7fd1c3446714d670576505915e0d661741cc26dfed079affc0a0e27e55
                                                                              • Opcode Fuzzy Hash: 347457b3b145a9d423e80be07d0e421259becf648ab7ab85f32766db1a0e40dc
                                                                              • Instruction Fuzzy Hash: A52125B5504244DFDB10CF18D9C0B16BB65FB84324F24C56DD84A4B64AC33AD846DA62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00FAD005 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.524389268.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_fad000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f17d72a4f3a47f6128bd1080270791f37139be3b2b27582ad16f67328a78a947
                                                                              • Instruction ID: 14275ea6d6179bbcc9fd6cbb5ecf8eadc4cb1de71a947a23a4bbef5de7e0ae1e
                                                                              • Opcode Fuzzy Hash: f17d72a4f3a47f6128bd1080270791f37139be3b2b27582ad16f67328a78a947
                                                                              • Instruction Fuzzy Hash: 74215C7550D3C09FCB038B24D990B11BF71AB47224F29C5DBD8858F6A7C33A984ADB62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00F9D3E7 Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.524323067.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_f9d000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                              • Instruction ID: e679f1d6069c93fa0b33c9f0ae65d23a9ae9329d2439c761c5a239b110522ec4
                                                                              • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                              • Instruction Fuzzy Hash: 6711D276804240CFDF05CF14D9C0B16BF61FB94324F34C6A9D8480B616C33AD856DBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00F9D4D3 Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.524323067.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_f9d000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                              • Instruction ID: e8b44a20044a46cda51a6e5943fc162a9241360d6bbcda385b2819490efe9b46
                                                                              • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                              • Instruction Fuzzy Hash: C811B176904280CFDF16CF14D9C4B16BF71FB94328F3886A9D8450B656C33AD856DBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00F9D819 Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.524323067.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_f9d000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b6619c1704ede6227198915d5ed6903415d58117f0ac2e8fbdf79c32a644200
                                                                              • Instruction ID: 8437e0e2a97bf3f52b819316d19d0f006267a0b47d5cad437697ff10074c0a89
                                                                              • Opcode Fuzzy Hash: 5b6619c1704ede6227198915d5ed6903415d58117f0ac2e8fbdf79c32a644200
                                                                              • Instruction Fuzzy Hash: 4501A772904344AAFB248A2ACC84767FFD8DF55374F28855AED051A287C3799844D6B1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00F9D818 Relevance: .0, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.524323067.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_f9d000_of4pojIP5C.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d13847c2a13e47618fdfe5e76de8ac5c9a301707fa8ae449664b9f69fbf835a5
                                                                              • Instruction ID: 7c5e48b0523442e52f94253b3cc7e0ecb54a40e148438cac82099537b8b20557
                                                                              • Opcode Fuzzy Hash: d13847c2a13e47618fdfe5e76de8ac5c9a301707fa8ae449664b9f69fbf835a5
                                                                              • Instruction Fuzzy Hash: C4F0C272904244AAEB248A1ACCC4B62FFD8EB41334F28C55AED081B282C3799C44CAB1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%