Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
amiri.EXE

Overview

General Information

Sample name:amiri.EXE
Analysis ID:1584734
MD5:5846965ea2262a9b0b0fd907dadadf6d
SHA1:948a609bcb8c7e1341c1edff2f4053a43671ec41
SHA256:78bc701c9cd229e84655ab57438e6b546693b57ca79401febb75cf95a3166567
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Drops PE files to the startup folder
Uses Windows timers to delay execution
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w11x64_office
  • amiri.EXE (PID: 1868 cmdline: "C:\Users\user\Desktop\amiri.EXE" MD5: 5846965EA2262A9B0B0FD907DADADF6D)
  • amiri.EXE (PID: 6500 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE" MD5: 5846965EA2262A9B0B0FD907DADADF6D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\amiri.EXE, ProcessId: 1868, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: amiri.EXEAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEAvira: detection malicious, Label: TR/Agent.ihfyh
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEReversingLabs: Detection: 72%
Multi AV Scanner detection for submitted file
Source: amiri.EXEVirustotal: Detection: 73%Perma Link
Source: amiri.EXEReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\amiri.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\MSVCR80.dllJump to behavior
Source: amiri.EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\C# Work space\Najm_Information\Najm_Information\obj\Debug\Najm_Information.pdbxN* source: amiri.EXE, amiri.EXE.1.dr
Source: Binary string: D:\C# Work space\Najm_Information\Najm_Information\obj\Debug\Najm_Information.pdb source: amiri.EXE, amiri.EXE.1.dr
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXECode function: 4x nop then mov eax, dword ptr [ebp+18h]6_2_00007FFCD6C306DC
Source: amiri.EXE, 00000001.00000002.12975157580.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.facebook.com/afg.najm/ equals www.facebook.com (Facebook)
Source: amiri.EXE, 00000001.00000002.12975157580.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.facebook.com/afg.najm/0y equals www.facebook.com (Facebook)
Source: amiri.EXE, amiri.EXE.1.drString found in binary or memory: www.najm.af5www.facebook.com/afg.najm/ equals www.facebook.com (Facebook)
Source: amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sajatypeworks.comi
Source: amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sajatypeworks.comk
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://scripts.sil.org/OFL
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/cascadia-code/blob/main/LICENSE).
Source: amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/cascadia-code/blob/master/LICENSE).
Source: amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmp, amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scripts.sil.org/OFL
Source: amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scripts.sil.org/OFL)
Source: C:\Users\user\Desktop\amiri.EXECode function: 1_2_00007FFCD6C5610E1_2_00007FFCD6C5610E
Source: C:\Users\user\Desktop\amiri.EXECode function: 1_2_00007FFCD6C542181_2_00007FFCD6C54218
Source: C:\Users\user\Desktop\amiri.EXECode function: 1_2_00007FFCD6C50F1A1_2_00007FFCD6C50F1A
Source: C:\Users\user\Desktop\amiri.EXECode function: 1_2_00007FFCD6C51D7D1_2_00007FFCD6C51D7D
Source: C:\Users\user\Desktop\amiri.EXECode function: 1_2_00007FFCD6C57C301_2_00007FFCD6C57C30
Source: C:\Users\user\Desktop\amiri.EXECode function: 1_2_00007FFCD6C5423A1_2_00007FFCD6C5423A
Source: C:\Users\user\Desktop\amiri.EXECode function: 1_2_00007FFCD6C578281_2_00007FFCD6C57828
Source: amiri.EXE, 00000001.00000000.11709989161.0000000000766000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNajm_Information.exeB vs amiri.EXE
Source: amiri.EXEBinary or memory string: OriginalFilenameNajm_Information.exeB vs amiri.EXE
Source: amiri.EXE.1.drBinary or memory string: OriginalFilenameNajm_Information.exeB vs amiri.EXE
Source: classification engineClassification label: mal80.adwa.evad.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\amiri.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEMutant created: NULL
Source: amiri.EXEStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: amiri.EXEStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\amiri.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: amiri.EXEVirustotal: Detection: 73%
Source: amiri.EXEReversingLabs: Detection: 72%
Source: unknownProcess created: C:\Users\user\Desktop\amiri.EXE "C:\Users\user\Desktop\amiri.EXE"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE"
Source: C:\Users\user\Desktop\amiri.EXESection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXESection loaded: cryptbase.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\amiri.EXEFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: amiri.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: amiri.EXEStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: amiri.EXEStatic file information: File size 2892288 > 1048576
Source: C:\Users\user\Desktop\amiri.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\MSVCR80.dllJump to behavior
Source: amiri.EXEStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2a3000
Source: amiri.EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: amiri.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\C# Work space\Najm_Information\Najm_Information\obj\Debug\Najm_Information.pdbxN* source: amiri.EXE, amiri.EXE.1.dr
Source: Binary string: D:\C# Work space\Najm_Information\Najm_Information\obj\Debug\Najm_Information.pdb source: amiri.EXE, amiri.EXE.1.dr
Source: C:\Users\user\Desktop\amiri.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEJump to dropped file

Boot Survival

barindex
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\amiri.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEJump to dropped file
Source: C:\Users\user\Desktop\amiri.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\amiri.EXEUser Timer Set: Timeout: 100msJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEUser Timer Set: Timeout: 500msJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEMemory allocated: 1AEC0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEMemory allocated: 14C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEMemory allocated: 1AF50000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEWindow / User API: threadDelayed 3456Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEWindow / User API: threadDelayed 6543Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE TID: 2480Thread sleep count: 3456 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE TID: 2480Thread sleep time: -3456000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE TID: 2480Thread sleep count: 6543 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE TID: 2480Thread sleep time: -6543000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXESystem information queried: CurrentTimeZoneInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\amiri.EXEMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCodeItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCodeItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCodeItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMonoItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SansSerifCollection.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SitkaVF.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SitkaVF.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SitkaVF-Italic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SitkaVF.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SitkaVF.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\amiri.EXEQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCode.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCodeItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCodeItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaCodeItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMonoItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMonoItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMonoItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMonoItalic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation12
Registry Run Keys / Startup Folder		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		12
Registry Run Keys / Startup Folder		12
Virtualization/Sandbox Evasion		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Disable or Modify Tools		Security Account Manager12
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
amiri.EXE73%VirustotalBrowse
amiri.EXE72%ReversingLabsByteCode-MSIL.PUA.Presenoker
amiri.EXE100%AviraTR/Agent.ihfyh

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE100%AviraTR/Agent.ihfyh
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE72%ReversingLabsByteCode-MSIL.PUA.Presenoker

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://scripts.sil.org/OFL)0%Avira URL Cloudsafe
http://sajatypeworks.comi0%Avira URL Cloudsafe
http://sajatypeworks.comk0%Avira URL Cloudsafe
https://scripts.sil.org/OFL0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
fp2e7a.wpc.phicdn.net
192.229.221.95
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.comamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designersGamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.com/designers?amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://sajatypeworks.comiamiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scripts.sil.org/OFL)amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://sajatypeworks.comkamiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.comamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://github.com/microsoft/cascadia-code/blob/main/LICENSE).amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.carterandcone.comlamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sajatypeworks.comamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/cabarga.htmlNamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.galapagosdesign.com/staff/dennis.htmamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/frere-jones.htmlamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://scripts.sil.org/OFLamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmp, amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.galapagosdesign.com/DPleaseamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers8amiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.urwpp.deDPleaseamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://scripts.sil.org/OFLamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.comamiri.EXE, 00000001.00000002.12980964057.000000001CBA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/microsoft/cascadia-code/blob/master/LICENSE).amiri.EXE, 00000006.00000002.12977680585.000000001CD12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1584734
                                              Start date and time:2025-01-06 12:12:36 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 12s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                              Run name:Potential for more IOCs and behavior
                                              Number of analysed new started processes analysed:39
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:amiri.EXE
                                              Detection:MAL
                                              Classification:mal80.adwa.evad.winEXE@2/2@0/0
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 25
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .EXE

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 204.79.197.203, 23.44.201.20, 23.56.254.164, 20.12.23.50, 20.103.156.88, 20.190.160.14
                                              • Excluded domains from analysis (whitelisted): www.bing.com, chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, x1.c.lencr.org, ocsp.digicert.com, login.live.com, res.public.onecdn.static.microsoft, ocsp.edge.digicert.com, c.pki.goog
                                              • Execution Graph export aborted for target amiri.EXE, PID 1868 because it is empty
                                              • Execution Graph export aborted for target amiri.EXE, PID 6500 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              06:14:04API Interceptor136544x Sleep call for process: amiri.EXE modified
                                              12:13:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              fp2e7a.wpc.phicdn.netCheerSkullness.exeGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              Insomia.exeGet hashmaliciousLummaCBrowse
                                              • 192.229.221.95
                                              Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                              • 192.229.221.95
                                              3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                                              • 192.229.221.95
                                              Your File Is Ready To Download.exeGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              http://www.klim.comGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              Reparto Trabajo TP4.xlsmGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              EwpsQzeky5.msiGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              hcxmivKYfL.exeGet hashmaliciousRedLineBrowse
                                              • 192.229.221.95

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE

                                              Download File
                                              Process:C:\Users\user\Desktop\amiri.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):2892288
                                              Entropy (8bit):6.5144726917503055
                                              Encrypted:false
                                              SSDEEP:49152:FGVEKSA+7FtRYji7rUXCmbIsIAeoVEKSA+7FtRYji7rUXCmbIsgOAAAWgWlA:YjSA+7XRYji7rUyyfjSA+7XRYji7rUyU
                                              MD5:5846965EA2262A9B0B0FD907DADADF6D
                                              SHA1:948A609BCB8C7E1341C1EDFF2F4053A43671EC41
                                              SHA-256:78BC701C9CD229E84655AB57438E6B546693B57CA79401FEBB75CF95A3166567
                                              SHA-512:2D54A8C08D2DE4765AF40BB8FD5EB306AB19C3AA2DC8428626BB54C4609932AF569C87231391DB348507FB7B8DC3F0135BD3504E3CBFCBD1BAE0EBF77687E8E8
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 72%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.S[.........."...0..0*..........N*.. ...`*...@.. ........................,...........@.................................PN*.O....`*......................`,......M*.............................................. ............... ..H............text.....*.. ...0*................. ..`.rsrc........`*......2*.............@..@.reloc.......`,...... ,.............@..B.................N*.....H...........Q......\.......PW).........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....s....}.....(......{......o......{.....o......{....r...p"..dAs....o......{....(....o .....{.....#.s!...o".....{....r!..po#.....{.....o$.....{.... ......s%...o&.....{.....(o'.....{....r1..po(.....{......o......{.....o......{....r...p"..dAs....o......{....(....o .....

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\amiri.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):6.5144726917503055
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:amiri.EXE
                                              File size:2'892'288 bytes
                                              MD5:5846965ea2262a9b0b0fd907dadadf6d
                                              SHA1:948a609bcb8c7e1341c1edff2f4053a43671ec41
                                              SHA256:78bc701c9cd229e84655ab57438e6b546693b57ca79401febb75cf95a3166567
                                              SHA512:2d54a8c08d2de4765af40bb8fd5eb306ab19c3aa2dc8428626bb54c4609932af569c87231391db348507fb7b8dc3f0135bd3504e3cbfcbd1bae0ebf77687e8e8
                                              SSDEEP:49152:FGVEKSA+7FtRYji7rUXCmbIsIAeoVEKSA+7FtRYji7rUXCmbIsgOAAAWgWlA:YjSA+7XRYji7rUyyfjSA+7XRYji7rUyU
                                              TLSH:DCD5BE837F81F50CCA186EB0E521F59C3E5D6F392A0C47D61999338C39B9A4A2767633
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.S[.........."...0..0*..........N*.. ...`*...@.. ........................,...........@................................

                                              File Icon

                                              Icon Hash:1e6bcbc3c666330f

                                              Static PE Info

                                              General

                                              Entrypoint:0x6a4ea2
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x5B53102F [Sat Jul 21 10:51:27 2018 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2a4e500x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a60000x1ecec.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c60000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2a4d180x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x2a2ea80x2a3000fe0e8825e04fc31d1866f5a6cfb11c6dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x2a60000x1ecec0x1ee0093485f5312c398d264d481a3e0ef12eaFalse0.3359849443319838data4.335506081075995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x2c60000xc0x2009d3cc76bf2822d6aef0dbe5efdf8fd43False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x2a61a00x601cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9967891399772395
                                              RT_ICON0x2ac1cc0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m0.13008695137820891
                                              RT_ICON0x2bca040x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m0.21038025507794048
                                              RT_ICON0x2c0c3c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m0.26400414937759337
                                              RT_ICON0x2c31f40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m0.3405253283302064
                                              RT_ICON0x2c42ac0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m0.5115248226950354
                                              RT_GROUP_ICON0x2c47240x5adata0.7666666666666667
                                              RT_VERSION0x2c47900x35cdata0.40232558139534885
                                              RT_MANIFEST0x2c4afc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 6, 2025 12:13:23.602216959 CET1.1.1.1192.168.2.240x9e5bNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                              Jan 6, 2025 12:13:23.602216959 CET1.1.1.1192.168.2.240x9e5bNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:1
                                              Start time:06:13:29
                                              Start date:06/01/2025
                                              Path:C:\Users\user\Desktop\amiri.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\amiri.EXE"
                                              Imagebase:0x4c0000
                                              File size:2'892'288 bytes
                                              MD5 hash:5846965EA2262A9B0B0FD907DADADF6D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:6
                                              Start time:06:13:39
                                              Start date:06/01/2025
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amiri.EXE"
                                              Imagebase:0x760000
                                              File size:2'892'288 bytes
                                              MD5 hash:5846965EA2262A9B0B0FD907DADADF6D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 72%, ReversingLabs
                                              Reputation:low
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFCD6C51D7D Relevance: 1.8, Instructions: 1817COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08e67b3daebbe55fd540221d95dd747519b57529891c5c783dc8fede18af511b
                                                • Instruction ID: 4c4fad4bf4a8a5eeb691fbafc568a74649e9ab878a2742ca45257eaa3a26b74f
                                                • Opcode Fuzzy Hash: 08e67b3daebbe55fd540221d95dd747519b57529891c5c783dc8fede18af511b
                                                • Instruction Fuzzy Hash: EFF2DC7061CA898FD7B5EB1CC494BEAB7E1FF99300F450969E08DC7252DE75A885CB02
                                                Function 00007FFCD6C5610E Relevance: 1.8, Instructions: 1801COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: faaf8554c785087c3bca68c6154733c61fbebd56d58a3b8d2064cee4eb25e05d
                                                • Instruction ID: 39d0b35f4bbc2405e1963350fe37a8ca5f810e1a95b6560685f5142c93636f00
                                                • Opcode Fuzzy Hash: faaf8554c785087c3bca68c6154733c61fbebd56d58a3b8d2064cee4eb25e05d
                                                • Instruction Fuzzy Hash: 91E20275A1DB898FE7B1EB18C495BDAB7E1FF99301F0505ADD08DC7262DA34A841CB02
                                                Function 00007FFCD6C57828 Relevance: 1.5, Instructions: 1507COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bdd3a11832063aa966cfb914d353fece5db99d909664da88e203df078be5347
                                                • Instruction ID: 63e02cb0bfbe2f76a14659e14df50f2951162e379823ec5e1e4cf66085725000
                                                • Opcode Fuzzy Hash: 6bdd3a11832063aa966cfb914d353fece5db99d909664da88e203df078be5347
                                                • Instruction Fuzzy Hash: 3ED2FE7061DB898FE7A5EB18C494FDAB7E1FF9A300F5545A9D08DC7262CE34A841CB42
                                                Function 00007FFCD6C54218 Relevance: 1.4, Instructions: 1404COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44661c7eb14490bba7ef8a9ec15145aa7de38072370f3c5f9663f3b27b34fc52
                                                • Instruction ID: c11a0e6b6ab6836cdeb7de4cd4349b0cafde097d413f6cd0dbc7084a9270f693
                                                • Opcode Fuzzy Hash: 44661c7eb14490bba7ef8a9ec15145aa7de38072370f3c5f9663f3b27b34fc52
                                                • Instruction Fuzzy Hash: 94C2EB7061CB888FD7B5EB1CC494BDAB7E1FF99341F4509A9E08DC7262DA34A941CB42
                                                Function 00007FFCD6C5423A Relevance: 1.4, Instructions: 1394COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 17e9ed78435dd1abff4962cc0d6ebf55738160966e36ca047723ee605a530b76
                                                • Instruction ID: a979396cf6b6cc1718b9e1bf3a2d25ccca60310c3f2b4449087a81c0c2438fac
                                                • Opcode Fuzzy Hash: 17e9ed78435dd1abff4962cc0d6ebf55738160966e36ca047723ee605a530b76
                                                • Instruction Fuzzy Hash: A5C2DA7061CB888FD7B5EB1CC494BDAB7E1FF99341F4509A9E08DC7262DA34A941CB42
                                                Function 00007FFCD6C57C30 Relevance: 1.2, Instructions: 1210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b8d0da3c3a43fef70b0e482aba1d9c922788d1e56a4349585d570ee8ccdbfcd0
                                                • Instruction ID: 7166a6e8cf0c5f3a9c86c4e1143215c7fec6154e5d1e9a6f853c334ff3d68e2c
                                                • Opcode Fuzzy Hash: b8d0da3c3a43fef70b0e482aba1d9c922788d1e56a4349585d570ee8ccdbfcd0
                                                • Instruction Fuzzy Hash: 19A2017060D7C98FE7A5EB18C494BDABBE1FF9A300F5545A9D08DC7262CE34A841DB42
                                                Function 00007FFCD6C50F1A Relevance: 1.1, Instructions: 1072COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1835e0247f49f8a2162a0423c6d22bd01a57801884f84cc570f330c539b72a4f
                                                • Instruction ID: f1761a8d4ae8ba74a103e52638f2022acc6e52f0752394ebc1ec028082632fe5
                                                • Opcode Fuzzy Hash: 1835e0247f49f8a2162a0423c6d22bd01a57801884f84cc570f330c539b72a4f
                                                • Instruction Fuzzy Hash: D392C77461CA898FE7A5EB18C494FDAB7E1FF99304F5509A9E08DC7252DF34A844CB02
                                                Function 00007FFCD6C58C4A Relevance: 7.9, Strings: 6, Instructions: 406COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0gm5$0gm5$0gm5$0gm5$z#(5$z#(5
                                                • API String ID: 0-538197762
                                                • Opcode ID: 8b60ed7cf6579847b23a5ed794c05875cd905f468cdd15b9525f758a0d109355
                                                • Instruction ID: 1f39203ed74e23718bfda65465a2f7f9cfd90bccad7607814408b9d858a1b728
                                                • Opcode Fuzzy Hash: 8b60ed7cf6579847b23a5ed794c05875cd905f468cdd15b9525f758a0d109355
                                                • Instruction Fuzzy Hash: 0BF11070A1D7894FE3A1EF28C4557AABBE1FF99340F44496EE08DC72A2DA34A444D712
                                                Function 00007FFCD6C599A1 Relevance: 7.9, Strings: 6, Instructions: 383COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0gm5$0gm5$0gm5$0gm5$z#(5$z#(5
                                                • API String ID: 0-538197762
                                                • Opcode ID: 6dc7b2ef83aa1a45e0128acca7016fd5b98964592f72b99fdd619938b305f94b
                                                • Instruction ID: c11d5e073092e6bbdc8794b54eee500cb3a8b68245f09dea1b60f8a253736e1f
                                                • Opcode Fuzzy Hash: 6dc7b2ef83aa1a45e0128acca7016fd5b98964592f72b99fdd619938b305f94b
                                                • Instruction Fuzzy Hash: CCE12470A1D7894FE3A1EF28C455BAABBE1FF99340F44496EE08DC3292DE34A544D712
                                                Function 00007FFCD6C5917D Relevance: 6.8, Strings: 5, Instructions: 571COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0gm5$0gm5$0gm5$YV:$z#(5
                                                • API String ID: 0-2356285586
                                                • Opcode ID: d7c9cddeb016b5abdd9b15a15068932bfc916126083c6ddaecbc2675221d6cea
                                                • Instruction ID: 46e1a5b03d11a0bcc08d024ab4cce9048533eaed4cfced3278e64b0d73aca59b
                                                • Opcode Fuzzy Hash: d7c9cddeb016b5abdd9b15a15068932bfc916126083c6ddaecbc2675221d6cea
                                                • Instruction Fuzzy Hash: 19221470A0D7C98FD7A1DB18C854BAEBBF1FFA9340F5445AAE08DC7252DA34A940D712
                                                Function 00007FFCD6C530A0 Relevance: .4, Instructions: 437COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef04c2318810ebe6a5316f30b41462daabd2d361b2db5b9084f8c7c5769ceaea
                                                • Instruction ID: dcbcb21963adc9e42724cfcaadc1c4711fa39092425c7cdea0fa7e601c59a026
                                                • Opcode Fuzzy Hash: ef04c2318810ebe6a5316f30b41462daabd2d361b2db5b9084f8c7c5769ceaea
                                                • Instruction Fuzzy Hash: 6602FC7060CBC88FD7B5EB18C494BDAB7E1FF99340F45496AE08DC7256DA74A885CB02
                                                Function 00007FFCD6C50AA3 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bf77959216f8c85b95d45fd1396f21cacbfbd9e4038695608d396778de4217f
                                                • Instruction ID: 0c7529ea45f2d19a26677ecf2328b45f5405e02ce84c9518da66cfcd6f9249a3
                                                • Opcode Fuzzy Hash: 9bf77959216f8c85b95d45fd1396f21cacbfbd9e4038695608d396778de4217f
                                                • Instruction Fuzzy Hash: F4917162B1D7D64FE7A0EB5888965ED7FD0EF9A340F0409BEC0D98725ADA382406D713
                                                Function 00007FFCD6C50392 Relevance: .2, Instructions: 250COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 697953e232923603ba2829b84ee425fd51eef3a0cc88e14d6ec91cfba72a1a72
                                                • Instruction ID: d6d990ff3d08f4d45579c07234a260d45702e58dcc2e74bc2b771292886c4c95
                                                • Opcode Fuzzy Hash: 697953e232923603ba2829b84ee425fd51eef3a0cc88e14d6ec91cfba72a1a72
                                                • Instruction Fuzzy Hash: 04910070A1D7C98FE3A1EB2884557AEBFE1FF95300F44096EE5CDC3292DA28A544D712
                                                Function 00007FFCD6C5000A Relevance: .2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01564e6b9949e2b746ccabdac375fc3ad9cbe7a724b270a14a5e2c6119fd5cdb
                                                • Instruction ID: 4ed96967c04b3cb40c00d37253391b75bab28e79c4b4b4cca7a9b9c5a2ed4788
                                                • Opcode Fuzzy Hash: 01564e6b9949e2b746ccabdac375fc3ad9cbe7a724b270a14a5e2c6119fd5cdb
                                                • Instruction Fuzzy Hash: E941B092D0E7DA8FEB5756344C221693FB09EA3684B1A05E7C0D9DB1E7E80C5C09E736
                                                Function 00007FFCD6C50205 Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97cb6176c3427e1a357e015ee3b45c7f348ca37b0c611cb98f582323f6be87eb
                                                • Instruction ID: 30ea1fa10857a4da4d7c2399a0ca2f8d0500f7892def5a9f29a75554b928c3e9
                                                • Opcode Fuzzy Hash: 97cb6176c3427e1a357e015ee3b45c7f348ca37b0c611cb98f582323f6be87eb
                                                • Instruction Fuzzy Hash: AD41B671A1DA884FE744E728C856A6ABBE1FFD9340F54557AF18DC31A6CE24EC06CB01
                                                Function 00007FFCD6C50731 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b0ca274813e861e09bee675b1c9672dd50c8e6f1d0b32b5cdc6c2e69e971361
                                                • Instruction ID: 5f926219192f48c0258558f9e70ca18a3df8e20d793e9da0c3f23844300b25e2
                                                • Opcode Fuzzy Hash: 1b0ca274813e861e09bee675b1c9672dd50c8e6f1d0b32b5cdc6c2e69e971361
                                                • Instruction Fuzzy Hash: 10216570A5DB894FE745D72CC855B697BE0FF8A310F4505A9E18CC72A3CA69D940C712
                                                Function 00007FFCD6C50A0C Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 939e098d223b5f461ee9554b143a526505c538ad1a67be4ffc848ac0cc857507
                                                • Instruction ID: bcd0815d1ce06a4781aa9f8d3839c0f3b322b41628217ca1bb8a7ccb5345c22d
                                                • Opcode Fuzzy Hash: 939e098d223b5f461ee9554b143a526505c538ad1a67be4ffc848ac0cc857507
                                                • Instruction Fuzzy Hash: 46115EA1A1D7D65FE7619B6848A95ED7FD0EF9A340F0408AFD0C8CB166DE346046E702
                                                Function 00007FFCD6C5017D Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00eb9ca0ef5fce980e4f8a3d350fcba331516defe49ce314736d877e8941f525
                                                • Instruction ID: 27f9ea6058608e5ae694582f2814ca7426eb56f16392cd23413a09ebb5d05a8d
                                                • Opcode Fuzzy Hash: 00eb9ca0ef5fce980e4f8a3d350fcba331516defe49ce314736d877e8941f525
                                                • Instruction Fuzzy Hash: 1C01F961D6EECD5FE745D3288C616697BA0FF86304F8815BAE088C71C7D95C9505D312
                                                Function 00007FFCD6C55E85 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f701cebbb9c703c197c6d48076badce024c821892f388bb95d2a848ab453ce43
                                                • Instruction ID: 52fe8f81bb2f765a3833f2dd691c09bebd2077111281768150a84e77b85afdf6
                                                • Opcode Fuzzy Hash: f701cebbb9c703c197c6d48076badce024c821892f388bb95d2a848ab453ce43
                                                • Instruction Fuzzy Hash: 89018A30618B885FE745DB18C495B6AB7E1FF8D304F810968E1CDD32A1CA68E940D702
                                                Function 00007FFCD6C55F14 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.13011129595.00007FFCD6C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffcd6c50000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54beab6071c0305506995028b8288bb823a599ee00cfbe0a0c8bc163527ed879
                                                • Instruction ID: a2ca20423b0f53e24604cb48b0a5f46d002e46c884936c5c69eb506035097e95
                                                • Opcode Fuzzy Hash: 54beab6071c0305506995028b8288bb823a599ee00cfbe0a0c8bc163527ed879
                                                • Instruction Fuzzy Hash: E1F02461D2EE9D1BEA88E2288C5267C7A90EF81700FC41ABAE088C71C3D94C9900D312

                                                Executed Functions

                                                Function 00007FFCD6C306DC Relevance: .2, Instructions: 240COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.12978429914.00007FFCD6C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7ffcd6c30000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0756538570a97de9074d428efa6fd759f045157ca83a6979dd55ddd8cbb9d09
                                                • Instruction ID: 8554a842cfbc149c39a96f87f2b69d3679c5adf0154faed3615e5fc44ad95779
                                                • Opcode Fuzzy Hash: d0756538570a97de9074d428efa6fd759f045157ca83a6979dd55ddd8cbb9d09
                                                • Instruction Fuzzy Hash: 8B91F871A18A8D8FEB91DF28C855BE93BE0FF19344F5401A6E84DC7292DB34E980DB51
                                                Function 00007FFCD6C30392 Relevance: .2, Instructions: 250COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.12978429914.00007FFCD6C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7ffcd6c30000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 403252b28335365b4ebdd34b9f37c823104d09fc14b7f54303d257497271c8e4
                                                • Instruction ID: 5ecfa5731a49cd710e4321b4afa7b23e9a6eee50973a4b1288c6ad399ecebc9a
                                                • Opcode Fuzzy Hash: 403252b28335365b4ebdd34b9f37c823104d09fc14b7f54303d257497271c8e4
                                                • Instruction Fuzzy Hash: 6F912220A1D7C98FE3A1EB2884557AABBE1FF95300F44096EE1CDC3293DA38A544D712
                                                Function 00007FFCD6C3000C Relevance: .2, Instructions: 174COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.12978429914.00007FFCD6C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7ffcd6c30000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6dd6f3e1b39485735239b4e93ae045258415578e625e0115ee04ed3064b11745
                                                • Instruction ID: 453609e6e689ab8961c948035bc70308b0258b5a1daedf902e591d9425a4755c
                                                • Opcode Fuzzy Hash: 6dd6f3e1b39485735239b4e93ae045258415578e625e0115ee04ed3064b11745
                                                • Instruction Fuzzy Hash: 4E419242E4E7DA4FEB5757244C211693FB0AF93584B1E45EBD0D9CB1A3E90C9C09E326
                                                Function 00007FFCD6C3021C Relevance: .1, Instructions: 141COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.12978429914.00007FFCD6C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7ffcd6c30000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48f0122a1c7384052a0842b80f7bc68ffa3c17018a3e1ee3d3e63a009aa38247
                                                • Instruction ID: 60abd2a1bca0f6cebff41841874b082ce936d5955558f4c446e8fe0a2e7b6353
                                                • Opcode Fuzzy Hash: 48f0122a1c7384052a0842b80f7bc68ffa3c17018a3e1ee3d3e63a009aa38247
                                                • Instruction Fuzzy Hash: EC41A531A1DA888FE794E728C451A6AB7E1FFD9340F545579F18DC31A2CE24EC06CB02
                                                Function 00007FFCD6C3019C Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.12978429914.00007FFCD6C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7ffcd6c30000_amiri.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a85b1b7bf21364fdae11bce410babc3b146de7fadb9f7d84d6a95f895b58200
                                                • Instruction ID: 1133671a6a2d604ec92844e8e17338453d98df06ecf17cb9fe120fa3bc4ee0cb
                                                • Opcode Fuzzy Hash: 3a85b1b7bf21364fdae11bce410babc3b146de7fadb9f7d84d6a95f895b58200
                                                • Instruction Fuzzy Hash: 41F0B422E6EA8D4BEA88D328C852ABD76D0FF84304FC81579F08DC3283DA58D540D316