Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zHdApQc7XO.exe

Overview

General Information

Sample name:zHdApQc7XO.exe
renamed because original name is a hash value
Original sample name:6b4b9ced2c07fb6c8eb710e0b1f2c4cf.exe
Analysis ID:1516398
MD5:6b4b9ced2c07fb6c8eb710e0b1f2c4cf
SHA1:b6b4dd343d86d3f95a862744dbf74e31654bee0b
SHA256:8742d826742550fc07f65ac00f1e1e037a3941862aa85cde104945fa0decbff6
Tags:exeuser-abuse_ch
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Enables security privileges
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • zHdApQc7XO.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\zHdApQc7XO.exe" MD5: 6B4B9CED2C07FB6C8EB710E0B1F2C4CF)
    • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 1376 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1729913845.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.1712083386.0000000003DC5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      Process Memory Space: RegAsm.exe PID: 1376JoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.zHdApQc7XO.exe.3dc5570.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
          0.2.zHdApQc7XO.exe.3dc5570.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.zHdApQc7XO.exe.3dc5570.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
            • 0x437f7:$s1: file:///
            • 0x43753:$s2: {11111-22222-10009-11112}
            • 0x43787:$s3: {11111-22222-50001-00000}
            • 0x4071c:$s4: get_Module
            • 0x3aec9:$s5: Reverse
            • 0x3bbb5:$s6: BlockCopy
            • 0x3ae88:$s7: ReadByte
            • 0x43809:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
            0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 4 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: zHdApQc7XO.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: zHdApQc7XO.exeReversingLabs: Detection: 71%
                Source: zHdApQc7XO.exeVirustotal: Detection: 73%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.0% probability
                Source: zHdApQc7XO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: zHdApQc7XO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: RegAsm.exe, 00000002.00000002.1732526719.00000000031FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1732526719.00000000031FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1732526719.00000000031FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb8 equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1732526719.00000000031FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1732526719.00000000031FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003195000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003195000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                Source: RegAsm.exe, 00000002.00000002.1732526719.00000000033A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_7bd79ee2-d

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                .NET source code contains very large array initializations
                Source: zHdApQc7XO.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 342528
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013877132_2_01387713
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013874682_2_01387468
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03001A6E2_2_03001A6E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03001A702_2_03001A70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03000CA82_2_03000CA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: SecurityJump to behavior
                Source: zHdApQc7XO.exe, 00000000.00000000.1705953519.0000000000A88000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exeH vs zHdApQc7XO.exe
                Source: zHdApQc7XO.exe, 00000000.00000002.1712083386.0000000003DC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRidgepoles.exe" vs zHdApQc7XO.exe
                Source: zHdApQc7XO.exe, 00000000.00000002.1709982294.000000000103E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs zHdApQc7XO.exe
                Source: zHdApQc7XO.exeBinary or memory string: OriginalFilenameVQP.exeH vs zHdApQc7XO.exe
                Source: zHdApQc7XO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: zHdApQc7XO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, A2H1lUZ15GsIooGy4G.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, A2H1lUZ15GsIooGy4G.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.evad.winEXE@5/2@0/0
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zHdApQc7XO.exe.logJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03
                Source: zHdApQc7XO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: zHdApQc7XO.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: zHdApQc7XO.exeReversingLabs: Detection: 71%
                Source: zHdApQc7XO.exeVirustotal: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\zHdApQc7XO.exe "C:\Users\user\Desktop\zHdApQc7XO.exe"
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textshaping.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: zHdApQc7XO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: zHdApQc7XO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: zHdApQc7XO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, A2H1lUZ15GsIooGy4G.cs.Net Code: D6hYRO9WQWeiYDaMiW7(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: zHdApQc7XO.exeStatic PE information: section name: .text entropy: 7.996405934048468
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, FieldRoot20.csHigh entropy of concatenated method names: 'Field1', 'Field5', 'Field2', 'Field3', 'Field4', 'Key4Database', 'Key3Database', 'pQohyHP8DBr6xXrIc1O', 'BeRmA0PpIuvAQKJh7fZ', 'VlkmPdPkIogdCWimEHS'
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, Strings.csHigh entropy of concatenated method names: 'Init', 'Decrypt', 'Get', 'WbflVniBskLAQhxTBw4', 'Yjpbwti0uCs3AxA05nn', 'OS4Ny5iE75KeWPgEyc3', 'B74KI8iFIgs2RfaNZrl', 'WHMm2Xig3D3pf7cXfPV', 'zt810GisOAMTFsGv198'
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, SystemInfoHelper.csHigh entropy of concatenated method names: '_003CCloseBrowser_003Eb__1', 'SM933J9khsBaDyjGHH7', 'jYN85J98kWJ6BxwW8La', 'ShowMessage', 'CloseBrowser', 'Add', 'GetProcessors', 'GetGraphicCards', 'GetBrowsers', 'GetSerialNumber'
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, Auhi.csHigh entropy of concatenated method names: 'I\u04341', 'I\u04342', 'I\u04343', 'I\u04344', 'RfR0L7PAlauwYm2LCrO', 'NlWMkUPLwQEV56544fl', 'YM8JFXPPlo2JitPu3js', 'E5iQBiPOabPrQMoff9N', 'F2bMTxPay7oy0W7mrV6', 'QudBOWPiRWTf7lwl9Nk'
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, FieldRoot19.csHigh entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'fep2XnLqwUHhLEZAGmK', 'vVOqMcLfTZiUZO3wmgk', 'Gk6UkAL3iJ7Aw8SKb1U', 'YUodOJLWM2m8TEv0EZ8', 'pWahnFLeU6nvSCmUbix', 'qXFC9PL48yu1Bm7rjTf', 'pag011LJUBLtiOpsQCx'
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, FieldRoot24.csHigh entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'RJE31mPU86XNhYsCinn', 'O4umAqPTM1rxOOdm1Nw', 'yGOeHJPnc7H52y8gaA4', 'gafJ4MPMOi07qhqKLtv', 'f0KYDWPuiYSdbWGUp8X', 'DEkfr9PRZAXGOMDsOL6'
                Source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, A2H1lUZ15GsIooGy4G.csHigh entropy of concatenated method names: 'ekFJcnmiTCHCTn9gnTp', 'HvHNesmQmghH6V4qZ83', 'LtQPyoxJn7', 'mCsmodmmiMMyfrKeH83', 'GXpWFwm6RVcKaVFCtK3', 'hkgnj0mdpWuEjmYcFN3', 'g38PJ8K3c0', 'AZCPHbxqQi', 'kjCPpoa2Hi', 'zssPO0JXVk'
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003262000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\^Q
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003262000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,^Q
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003262000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory allocated: 1420000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1340000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exe TID: 2932Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2496Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003262000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,^q
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003262000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                Source: RegAsm.exe, 00000002.00000002.1732526719.0000000003262000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\^q
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeCode function: 0_2_02DC2145 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_02DC2145
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 456000Jump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 458000Jump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F05008Jump to behavior
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: RegAsm.exe, 00000002.00000002.1732526719.00000000033A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                Source: RegAsm.exe, 00000002.00000002.1732526719.00000000033A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                Source: C:\Users\user\Desktop\zHdApQc7XO.exeQueries volume information: C:\Users\user\Desktop\zHdApQc7XO.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: zHdApQc7XO.exe, 00000000.00000002.1709982294.0000000001072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                Source: zHdApQc7XO.exe, 00000000.00000002.1709982294.0000000001072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.exe

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.zHdApQc7XO.exe.3dc5570.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1729913845.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1712083386.0000000003DC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected RedLine Stealer
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1376, type: MEMORYSTR
                Yara detected zgRAT
                Source: Yara matchFile source: 0.2.zHdApQc7XO.exe.3dc5570.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.zHdApQc7XO.exe.3dc5570.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1729913845.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1712083386.0000000003DC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected RedLine Stealer
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1376, type: MEMORYSTR
                Yara detected zgRAT
                Source: Yara matchFile source: 0.2.zHdApQc7XO.exe.3dc5570.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.zHdApQc7XO.exe.3dc5570.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		11
                Input Capture                		111
                Security Software Discovery                		Remote Services11
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS12
                System Information Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                zHdApQc7XO.exe71%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                zHdApQc7XO.exe74%VirustotalBrowse
                zHdApQc7XO.exe100%AviraHEUR/AGEN.1357677

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.fontbureau.com0%URL Reputationsafe
                http://www.fontbureau.com0%URL Reputationsafe
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.com/designers?0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fontbureau.com/designers80%URL Reputationsafe
                http://www.fonts.com0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                https://api.ip.sb/ip0%Avira URL Cloudsafe
                https://api.ip.s0%Avira URL Cloudsafe
                https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                https://discord.com/api/v9/users/0%VirustotalBrowse
                https://api.ip.sb/ip0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersGRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://api.ip.sb/ipRegAsm.exe, 00000002.00000002.1732526719.0000000003195000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/?RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/bTheRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.tiro.comRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://api.ip.sRegAsm.exe, 00000002.00000002.1732526719.0000000003195000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.krRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comlRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cTheRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/frere-user.htmlRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://discord.com/api/v9/users/RegAsm.exe, 00000002.00000002.1732526719.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleaseRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers8RegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.krRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.urwpp.deDPleaseRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.zhongyicts.com.cnRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sakkal.comRegAsm.exe, 00000002.00000002.1736126435.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1516398
                Start date and time:2024-09-24 07:28:11 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 8s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:zHdApQc7XO.exe
                renamed because original name is a hash value
                Original Sample Name:6b4b9ced2c07fb6c8eb710e0b1f2c4cf.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@5/2@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 98%
                • Number of executed functions: 24
                • Number of non-executed functions: 4
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1119
                Entropy (8bit):5.345080863654519
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                MD5:88593431AEF401417595E7A00FE86E5F
                SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zHdApQc7XO.exe.log

                Download File
                Process:C:\Users\user\Desktop\zHdApQc7XO.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):226
                Entropy (8bit):5.360398796477698
                Encrypted:false
                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                MD5:3A8957C6382192B71471BD14359D0B12
                SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                Malicious:true
                Reputation:high, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                Static File Info

                General

                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.987801958413881
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:zHdApQc7XO.exe
                File size:351'744 bytes
                MD5:6b4b9ced2c07fb6c8eb710e0b1f2c4cf
                SHA1:b6b4dd343d86d3f95a862744dbf74e31654bee0b
                SHA256:8742d826742550fc07f65ac00f1e1e037a3941862aa85cde104945fa0decbff6
                SHA512:686b38e389a228771ad09bad5dea31f0994eb7009a5d52883fc6a931544654166c9d3303907c0445b6487f8f05840cb27188d339a6678965e77eda5a05088f7d
                SSDEEP:6144:JYfDPOqtaJVEQuKkVBPJWuaMp4ueSOlmBZ171gFzcZ6hTtKEBPlb8n7us8HfnhaQ:JY68HQuKcsVSOs3zgJYAgek7usYnhaQ
                TLSH:7774232718123B59EA3646387E396F883D3FF4A8786F6F85067C1C5E884770A22F5365
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.f.................R...........q... ........@.. ....................................`................................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x45712e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows cui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x66E346E1 [Thu Sep 12 19:54:09 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x570e00x4b.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x618.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x56fa80x1c.text
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x551340x552006d271b191f030653cb51e8377463621cFalse0.9946109810939795data7.996405934048468IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x580000x6180x80060dea610f03b44eca2fe8a9c91012b1cFalse0.34912109375data3.441024069214124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x5a0000xc0x200caa56db269fcfc2b8d16f0ee6351201aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0x580a00x384data0.45111111111111113
                RT_MANIFEST0x584280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:01:29:05
                Start date:24/09/2024
                Path:C:\Users\user\Desktop\zHdApQc7XO.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\zHdApQc7XO.exe"
                Imagebase:0xa30000
                File size:351'744 bytes
                MD5 hash:6B4B9CED2C07FB6C8EB710E0B1F2C4CF
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1712083386.0000000003DC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:01:29:06
                Start date:24/09/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:01:29:06
                Start date:24/09/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Imagebase:0xc90000
                File size:65'440 bytes
                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1729913845.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:01:29:06
                Start date:24/09/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:39.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:15.8%
                  Total number of Nodes:38
                  Total number of Limit Nodes:1
                  execution_graph 294 11c0988 295 11c09a5 294->295 305 11c0b02 295->305 296 11c09bd 304 11c0b02 VirtualProtectEx 296->304 297 11c09d5 301 11c0a5b 297->301 310 11c04e0 297->310 302 11c0a2a 304->297 309 11c0b31 305->309 306 11c0e2e 306->296 307 11c0e9b VirtualProtectEx 308 11c0edb 307->308 308->296 309->306 309->307 311 11c0e50 VirtualProtectEx 310->311 313 11c09fe 311->313 313->301 314 11c04ec 313->314 315 11c0f08 CreateThread 314->315 317 11c0fb0 315->317 317->302 318 11c0978 319 11c09a5 318->319 327 11c0b02 VirtualProtectEx 319->327 320 11c09bd 328 11c0b02 VirtualProtectEx 320->328 321 11c09d5 322 11c04e0 VirtualProtectEx 321->322 325 11c0a5b 321->325 323 11c09fe 322->323 324 11c04ec CreateThread 323->324 323->325 326 11c0a2a 324->326 327->320 328->321 329 2dc2145 333 2dc217d CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 329->333 331 2dc235a WriteProcessMemory 332 2dc239f 331->332 334 2dc23a4 WriteProcessMemory 332->334 335 2dc23e1 WriteProcessMemory Wow64SetThreadContext ResumeThread 332->335 333->331 334->332 336 11c0f02 337 11c0f56 CreateThread 336->337 339 11c0fb0 337->339

                  Callgraph

                  Executed Functions

                  Function 02DC2145 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02DC22B4
                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02DC22C7
                  • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02DC22E5
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02DC2309
                  • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02DC2334
                  • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02DC238C
                  • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02DC23D7
                  • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02DC2415
                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 02DC2451
                  • ResumeThread.KERNELBASE(?), ref: 02DC2460
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1711219689.0000000002DC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2dc1000_zHdApQc7XO.jbxd
                  Similarity
                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                  • String ID: GetP$Load$aryA$ress
                  • API String ID: 2687962208-977067982
                  • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                  • Instruction ID: 3033897cb9368746fb1f707434fd1b87e2d5ced2369585fe5fe313891aaa2842
                  • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                  • Instruction Fuzzy Hash: 75B1E57664024AAFDB60CF68CC80BDA77A5FF88714F158528EA0CAB341D774FA41CB94
                  Function 011C0B02 Relevance: 1.8, APIs: 1, Instructions: 311COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 23 11c0b02-11c0b61 27 11c0bef-11c0bfe 23->27 28 11c0b67-11c0b75 23->28 29 11c0c04-11c0c07 27->29 30 11c0ca3-11c0cb5 27->30 41 11c0b7c-11c0b9a 28->41 31 11c0c0a-11c0c12 29->31 33 11c0e2e-11c0e35 30->33 34 11c0cbb-11c0cc4 30->34 37 11c0e38-11c0ed9 VirtualProtectEx 31->37 38 11c0c18-11c0c29 31->38 35 11c0ccd-11c0cdb 34->35 36 11c0cc6-11c0ccc 34->36 35->37 39 11c0ce1-11c0cee 35->39 36->35 53 11c0edb 37->53 54 11c0ee0-11c0ef4 37->54 38->37 40 11c0c2f-11c0c3b 38->40 43 11c0cf7-11c0d02 39->43 44 11c0cf0-11c0cf6 39->44 45 11c0c3d-11c0c43 40->45 46 11c0c44-11c0c4f 40->46 41->37 58 11c0ba0-11c0bc1 41->58 43->37 47 11c0d08-11c0d15 43->47 44->43 45->46 46->37 48 11c0c55-11c0c62 46->48 47->37 51 11c0d1b-11c0d28 47->51 48->37 52 11c0c68-11c0c75 48->52 51->37 55 11c0d2e-11c0d3a 51->55 52->37 56 11c0c7b-11c0c87 52->56 53->54 55->37 59 11c0d40-11c0d4e 55->59 56->37 60 11c0c8d-11c0c9d 56->60 58->37 61 11c0bc7-11c0bd5 58->61 59->37 62 11c0d54-11c0d6b 59->62 60->30 60->31 61->37 63 11c0bdb-11c0be9 61->63 64 11c0d6d-11c0d73 62->64 65 11c0d74-11c0dd9 62->65 63->27 63->28 64->65 75 11c0dfc-11c0e12 65->75 76 11c0ddb-11c0def 65->76 80 11c0e17-11c0e28 75->80 76->75 79 11c0df1-11c0dfa 76->79 79->80 80->33 80->34
                  APIs
                  • VirtualProtectEx.KERNELBASE(?,03DC3590,?,?,?), ref: 011C0ECC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1710980141.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_11c0000_zHdApQc7XO.jbxd
                  Similarity
                  • API ID: ProtectVirtual
                  • String ID:
                  • API String ID: 544645111-0
                  • Opcode ID: 7483c364ac1dde86aa8168db31343d0861b2732a9b570251ffc0b190757df98c
                  • Instruction ID: 077eb9515c73c694d03b617272bd5934180d05c23cfccf2d3af7c2bf1c027fb9
                  • Opcode Fuzzy Hash: 7483c364ac1dde86aa8168db31343d0861b2732a9b570251ffc0b190757df98c
                  • Instruction Fuzzy Hash: 8DC14835A04229CFCB05CBA8C5805EDFBF2BF9D714F688559E448A7356C734AD42CBA4
                  Function 011C04EC Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 84 11c04ec-11c0f62 87 11c0f64-11c0f70 84->87 88 11c0f72-11c0fae CreateThread 84->88 87->88 89 11c0fb7-11c0fcb 88->89 90 11c0fb0-11c0fb6 88->90 90->89
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,?,00000000,?,?), ref: 011C0FA1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1710980141.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_11c0000_zHdApQc7XO.jbxd
                  Similarity
                  • API ID: CreateThread
                  • String ID:
                  • API String ID: 2422867632-0
                  • Opcode ID: 61c52aba92c27ce4362aecfa1cdb3e9c9186bc75f62f47f9187ed87d59f9c383
                  • Instruction ID: 711afddcaa009d0db8058e6178a7831171065d9ef2d7cf42762903aa5651d245
                  • Opcode Fuzzy Hash: 61c52aba92c27ce4362aecfa1cdb3e9c9186bc75f62f47f9187ed87d59f9c383
                  • Instruction Fuzzy Hash: D821EFB5900249DFCB14CF9AD984ADEBBF4FB48310F20842EE958A7350D774AA50CFA5
                  Function 011C0F02 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 92 11c0f02-11c0f62 94 11c0f64-11c0f70 92->94 95 11c0f72-11c0fae CreateThread 92->95 94->95 96 11c0fb7-11c0fcb 95->96 97 11c0fb0-11c0fb6 95->97 97->96
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,?,00000000,?,?), ref: 011C0FA1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1710980141.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_11c0000_zHdApQc7XO.jbxd
                  Similarity
                  • API ID: CreateThread
                  • String ID:
                  • API String ID: 2422867632-0
                  • Opcode ID: 210e9da39bec42ffbf938a55c78a0c0c82518414099eb9ef5694375bc3360275
                  • Instruction ID: 78f4b25da53311e54d840a62337c5b69b6adbb15608f641e2d8de4bcfe9219d6
                  • Opcode Fuzzy Hash: 210e9da39bec42ffbf938a55c78a0c0c82518414099eb9ef5694375bc3360275
                  • Instruction Fuzzy Hash: F221EFB5900349DFCB14CF99D984ADEBBF4FB48310F20842EE958A7250D375AA40CFA5
                  Function 011C04E0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 99 11c04e0-11c0ed9 VirtualProtectEx 102 11c0edb 99->102 103 11c0ee0-11c0ef4 99->103 102->103
                  APIs
                  • VirtualProtectEx.KERNELBASE(?,03DC3590,?,?,?), ref: 011C0ECC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1710980141.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_11c0000_zHdApQc7XO.jbxd
                  Similarity
                  • API ID: ProtectVirtual
                  • String ID:
                  • API String ID: 544645111-0
                  • Opcode ID: 8196b3e87c663240c8b495a6474d8f504bb82cfded1d841534d4c3cd0f654b48
                  • Instruction ID: abe42312de58a01511e7aa6d13dcbebf9c7770fc4b31eb6f5fa6820460437478
                  • Opcode Fuzzy Hash: 8196b3e87c663240c8b495a6474d8f504bb82cfded1d841534d4c3cd0f654b48
                  • Instruction Fuzzy Hash: 7421E0B5901259EFCB04CF9AD884ADEFFB4FB48320F10812AE918A7310D375A950CFA5

                  Execution Graph

                  Execution Coverage:11.2%
                  Dynamic/Decrypted Code Coverage:98.2%
                  Signature Coverage:0%
                  Total number of Nodes:228
                  Total number of Limit Nodes:8
                  execution_graph 23363 138e938 23364 138e97e GetCurrentProcess 23363->23364 23366 138e9c9 23364->23366 23367 138e9d0 GetCurrentThread 23364->23367 23366->23367 23368 138ea0d GetCurrentProcess 23367->23368 23369 138ea06 23367->23369 23370 138ea43 23368->23370 23369->23368 23371 138ea6b GetCurrentThreadId 23370->23371 23372 138ea9c 23371->23372 23388 3003310 23389 3003378 CreateWindowExW 23388->23389 23391 3003434 23389->23391 23391->23391 23400 300dd70 23401 300dda9 23400->23401 23403 138c160 23400->23403 23404 138c17b 23403->23404 23407 1389adc 23404->23407 23406 138c193 23406->23401 23408 1389ae7 23407->23408 23410 1389db3 23408->23410 23412 138c160 KiUserCallbackDispatcher 23408->23412 23409 1389df1 23409->23406 23410->23409 23413 138e54b 23410->23413 23412->23410 23414 138e571 23413->23414 23415 138e595 23414->23415 23418 138e820 23414->23418 23422 138e810 23414->23422 23415->23409 23419 138e82d 23418->23419 23420 138e867 23419->23420 23426 138cb20 23419->23426 23420->23415 23423 138e82d 23422->23423 23424 138cb20 KiUserCallbackDispatcher 23423->23424 23425 138e867 23423->23425 23424->23425 23425->23415 23428 138cb2b 23426->23428 23427 138f580 23428->23427 23430 138ef6c 23428->23430 23431 138ef77 23430->23431 23436 1387190 23431->23436 23434 138f5fe 23434->23427 23437 138719b 23436->23437 23439 1389db3 23437->23439 23441 138c160 KiUserCallbackDispatcher 23437->23441 23438 1389df1 23442 138f668 23438->23442 23439->23438 23440 138e54b KiUserCallbackDispatcher 23439->23440 23440->23438 23441->23439 23443 138f696 23442->23443 23444 138f762 KiUserCallbackDispatcher 23443->23444 23445 138f767 23443->23445 23444->23445 23446 30058b1 23447 3005922 23446->23447 23448 30059cc 23446->23448 23449 300597a CallWindowProcW 23447->23449 23451 3005929 23447->23451 23452 30011b4 23448->23452 23449->23451 23454 30011bf 23452->23454 23455 3004289 23454->23455 23456 30012dc CallWindowProcW 23454->23456 23456->23455 23457 129d01c 23458 129d034 23457->23458 23459 129d08e 23458->23459 23460 30011b4 CallWindowProcW 23458->23460 23464 30034b9 23458->23464 23468 3004229 23458->23468 23472 30034c8 23458->23472 23460->23459 23465 30034ee 23464->23465 23466 30011b4 CallWindowProcW 23465->23466 23467 300350f 23466->23467 23467->23459 23470 3004265 23468->23470 23471 3004289 23470->23471 23476 30012dc CallWindowProcW 23470->23476 23473 30034ee 23472->23473 23474 30011b4 CallWindowProcW 23473->23474 23475 300350f 23474->23475 23475->23459 23476->23471 23373 3000948 23374 3000964 23373->23374 23376 30009b9 23374->23376 23379 3000a40 23374->23379 23384 3000a50 23374->23384 23375 30009b4 23380 3000a6f 23379->23380 23381 3000a75 23379->23381 23380->23381 23382 3000c18 23380->23382 23383 3000bf0 KiUserCallbackDispatcher 23380->23383 23381->23375 23382->23375 23383->23382 23385 3000a6f 23384->23385 23387 3000a75 23384->23387 23386 3000bf0 KiUserCallbackDispatcher 23385->23386 23385->23387 23386->23387 23387->23375 23392 138c490 23395 138c577 23392->23395 23393 138c49f 23396 138c5bc 23395->23396 23397 138c599 23395->23397 23396->23393 23397->23396 23398 138c7c0 GetModuleHandleW 23397->23398 23399 138c7ed 23398->23399 23399->23393 23477 138eb80 DuplicateHandle 23478 138ec16 23477->23478 23479 13846c0 23480 13846d2 23479->23480 23481 13846da 23480->23481 23493 13847f9 23480->23493 23485 138425c 23481->23485 23486 1384267 23485->23486 23498 1387120 23486->23498 23488 1388978 23502 3007c68 23488->23502 23511 3007c98 23488->23511 23521 3007c58 23488->23521 23489 13846f0 23494 138481d 23493->23494 23622 1384908 23494->23622 23626 13848f8 23494->23626 23499 138712b 23498->23499 23530 1387130 23499->23530 23501 1388a45 23501->23488 23503 3007c7d 23502->23503 23507 3007c90 23503->23507 23538 3009d30 23503->23538 23542 3009d5f 23503->23542 23547 3009e79 23503->23547 23552 3009d75 23503->23552 23557 3009d21 23503->23557 23561 3009ed0 23503->23561 23507->23489 23512 3007ca6 23511->23512 23513 3007c56 23511->23513 23514 3007c90 23513->23514 23515 3009d30 KiUserCallbackDispatcher 23513->23515 23516 3009ed0 GetCurrentThreadId 23513->23516 23517 3009d21 KiUserCallbackDispatcher 23513->23517 23518 3009d75 GetCurrentThreadId 23513->23518 23519 3009e79 GetCurrentThreadId 23513->23519 23520 3009d5f GetCurrentThreadId 23513->23520 23514->23489 23515->23514 23516->23514 23517->23514 23518->23514 23519->23514 23520->23514 23522 3007c7d 23521->23522 23523 3009d30 KiUserCallbackDispatcher 23522->23523 23524 3009ed0 GetCurrentThreadId 23522->23524 23525 3009d21 KiUserCallbackDispatcher 23522->23525 23526 3009d75 GetCurrentThreadId 23522->23526 23527 3009e79 GetCurrentThreadId 23522->23527 23528 3007c90 23522->23528 23529 3009d5f GetCurrentThreadId 23522->23529 23523->23528 23524->23528 23525->23528 23526->23528 23527->23528 23528->23489 23529->23528 23531 138713b 23530->23531 23534 1387160 23531->23534 23533 1388b22 23533->23501 23535 138716b 23534->23535 23536 1387190 KiUserCallbackDispatcher 23535->23536 23537 1388c25 23536->23537 23537->23533 23539 3009d54 23538->23539 23566 300994c 23539->23566 23543 3009d67 23542->23543 23543->23542 23544 3009e35 23543->23544 23596 300edc8 23543->23596 23607 300ed7f 23543->23607 23544->23507 23544->23544 23548 3009d5f 23547->23548 23549 3009e35 23547->23549 23548->23549 23550 300edc8 GetCurrentThreadId 23548->23550 23551 300ed7f GetCurrentThreadId 23548->23551 23549->23507 23550->23549 23551->23549 23553 3009d5f 23552->23553 23554 3009e35 23553->23554 23555 300edc8 GetCurrentThreadId 23553->23555 23556 300ed7f GetCurrentThreadId 23553->23556 23554->23507 23555->23554 23556->23554 23558 3009d54 23557->23558 23559 300994c KiUserCallbackDispatcher 23558->23559 23560 3009fc0 23559->23560 23562 3009ee2 23561->23562 23564 300edc8 GetCurrentThreadId 23562->23564 23565 300ed7f GetCurrentThreadId 23562->23565 23563 3009e42 23563->23507 23564->23563 23565->23563 23567 3009957 23566->23567 23570 30099bc 23567->23570 23569 3009fc0 23571 30099c7 23570->23571 23574 1389adc KiUserCallbackDispatcher 23571->23574 23577 1387190 KiUserCallbackDispatcher 23571->23577 23578 13899e8 23571->23578 23584 1389ad0 23571->23584 23590 1389aff 23571->23590 23572 300a17c 23572->23569 23574->23572 23577->23572 23579 13899ed 23578->23579 23581 1389db3 23579->23581 23583 138c160 KiUserCallbackDispatcher 23579->23583 23580 1389df1 23580->23572 23581->23580 23582 138e54b KiUserCallbackDispatcher 23581->23582 23582->23580 23583->23581 23585 1389ad5 23584->23585 23587 1389db3 23585->23587 23589 138c160 KiUserCallbackDispatcher 23585->23589 23586 1389df1 23586->23572 23587->23586 23588 138e54b KiUserCallbackDispatcher 23587->23588 23588->23586 23589->23587 23591 1389b2b 23590->23591 23593 1389db3 23591->23593 23595 138c160 KiUserCallbackDispatcher 23591->23595 23592 1389df1 23592->23572 23593->23592 23594 138e54b KiUserCallbackDispatcher 23593->23594 23594->23592 23595->23593 23598 300eddd 23596->23598 23597 300ee63 23605 300edc8 GetCurrentThreadId 23597->23605 23606 300ed7f GetCurrentThreadId 23597->23606 23598->23597 23600 300ee98 23598->23600 23599 300ee6d 23599->23544 23604 300ef9c 23600->23604 23618 300d344 23600->23618 23602 300efc0 23603 300d344 GetCurrentThreadId 23602->23603 23603->23604 23604->23544 23605->23599 23606->23599 23609 300eddd 23607->23609 23608 300ee63 23616 300edc8 GetCurrentThreadId 23608->23616 23617 300ed7f GetCurrentThreadId 23608->23617 23609->23608 23611 300ee98 23609->23611 23610 300ee6d 23610->23544 23612 300d344 GetCurrentThreadId 23611->23612 23615 300ef9c 23611->23615 23613 300efc0 23612->23613 23614 300d344 GetCurrentThreadId 23613->23614 23614->23615 23615->23544 23616->23610 23617->23610 23619 300d34f 23618->23619 23620 300f2df GetCurrentThreadId 23619->23620 23621 300f2ca 23619->23621 23620->23621 23621->23602 23623 138492f 23622->23623 23624 1384a0c 23623->23624 23630 138456c 23623->23630 23624->23624 23627 1384908 23626->23627 23628 138456c CreateActCtxA 23627->23628 23629 1384a0c 23627->23629 23628->23629 23631 1385998 CreateActCtxA 23630->23631 23633 1385a5b 23631->23633 23634 300373e 23636 3003747 23634->23636 23635 3003896 23636->23635 23638 3003528 23636->23638 23639 3003540 23638->23639 23639->23635 23640 3003558 SetWindowLongW 23639->23640 23641 30035c4 23640->23641 23641->23635

                  Executed Functions

                  Function 01387713 Relevance: 8.5, Strings: 6, Instructions: 1018COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 787 1387713-1387719 788 138771b-1387742 787->788 789 1387711 787->789 791 1387749-1387844 788->791 792 1387744 788->792 789->787 790 1387709-138770d 789->790 794 138784a-138798c 791->794 795 1387fc1-1387fe9 791->795 792->791 839 1387f8a-1387fb4 794->839 840 1387992-13879ed 794->840 798 13886f1-13886fa 795->798 799 1388700-1388718 798->799 800 1387ff7-1388001 798->800 802 1388008-13880c3 800->802 803 1388003 800->803 818 13880ca-13880ea 802->818 803->802 820 13880f0-13880fd 818->820 821 13880ff-138810b 820->821 822 1388127 820->822 825 138810d-1388113 821->825 826 1388115-138811b 821->826 824 138812d-138814d 822->824 830 13881ad-138822d 824->830 831 138814f-13881a8 824->831 828 1388125 825->828 826->828 828->824 850 138822f-1388280 830->850 851 1388282-13882c5 830->851 843 13886ee 831->843 853 1387fbe 839->853 854 1387fb6 839->854 847 13879ef 840->847 848 13879f2-13879fd 840->848 843->798 847->848 852 1387e9c-1387ea2 848->852 876 13882d0-13882d9 850->876 851->876 855 1387ea8-1387f25 call 13801e0 852->855 856 1387a02-1387a20 852->856 853->795 854->853 896 1387f74-1387f7a 855->896 859 1387a22-1387a26 856->859 860 1387a77-1387a8c 856->860 859->860 864 1387a28-1387a33 859->864 861 1387a8e 860->861 862 1387a93-1387aa9 860->862 861->862 868 1387aab 862->868 869 1387ab0-1387ac7 862->869 865 1387a69-1387a6f 864->865 871 1387a71-1387a72 865->871 872 1387a35-1387a39 865->872 868->869 874 1387ac9 869->874 875 1387ace-1387ae4 869->875 881 1387af5-1387bcd 871->881 877 1387a3b 872->877 878 1387a3f-1387a57 872->878 874->875 879 1387aeb-1387af2 875->879 880 1387ae6 875->880 883 1388339-1388348 876->883 877->878 884 1387a59 878->884 885 1387a5e-1387a66 878->885 879->881 880->879 886 1387bcf-1387bd1 881->886 887 1387c05-1387c40 881->887 890 138834a-13883d2 883->890 891 13882db-1388303 883->891 884->885 885->865 886->887 889 1387bd3-1387bff 886->889 897 1387c42-1387c4e 887->897 898 1387c54-1387da0 887->898 889->887 926 138854b-1388557 890->926 893 138830a-1388333 891->893 894 1388305 891->894 893->883 894->893 901 1387f7c-1387f82 896->901 902 1387f27-1387f71 896->902 897->898 907 1387da2-1387da6 898->907 908 1387e04-1387e19 898->908 901->839 902->896 907->908 909 1387da8-1387db7 907->909 911 1387e1b 908->911 912 1387e20-1387e41 908->912 913 1387df6-1387dfc 909->913 911->912 915 1387e48-1387e67 912->915 916 1387e43 912->916 920 1387db9-1387dbd 913->920 921 1387dfe-1387dff 913->921 917 1387e69 915->917 918 1387e6e-1387e8e 915->918 916->915 917->918 924 1387e90 918->924 925 1387e95 918->925 922 1387dbf-1387dc3 920->922 923 1387dc7-1387de8 920->923 928 1387e99 921->928 922->923 931 1387dea 923->931 932 1387def-1387df3 923->932 924->925 925->928 929 138855d-13885bb 926->929 930 13883d7-13883e0 926->930 928->852 947 13885bd-13885f0 929->947 948 13885f2-138861c 929->948 933 13883e9-138853f 930->933 934 13883e2 930->934 931->932 932->913 952 1388545 933->952 934->933 936 1388479-13884b9 934->936 937 13884be-13884fe 934->937 938 13883ef-138842f 934->938 939 1388434-1388474 934->939 936->952 937->952 938->952 939->952 956 1388625-13886df 947->956 948->956 952->926 956->843
                  Strings
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$TJcq$Te^q$pbq$w8pJ$xbaq
                  • API String ID: 0-2151838952
                  • Opcode ID: d80062ed48b39ba55739071e89cebfd2031e5199365034c0bf3be564631622b9
                  • Instruction ID: e876cebab6b9582aef0de5d251e28532f91d03b6268f24aa302df85e418cd115
                  • Opcode Fuzzy Hash: d80062ed48b39ba55739071e89cebfd2031e5199365034c0bf3be564631622b9
                  • Instruction Fuzzy Hash: 0CB2B475E00228CFDB65DF69C984B99BBB2FF89304F1481E9D509AB265DB319E81CF40
                  Function 0138E928 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1070 138e928-138e9c7 GetCurrentProcess 1074 138e9c9-138e9cf 1070->1074 1075 138e9d0-138ea04 GetCurrentThread 1070->1075 1074->1075 1076 138ea0d-138ea41 GetCurrentProcess 1075->1076 1077 138ea06-138ea0c 1075->1077 1078 138ea4a-138ea62 1076->1078 1079 138ea43-138ea49 1076->1079 1077->1076 1091 138ea65 call 138eee8 1078->1091 1092 138ea65 call 138eb13 1078->1092 1079->1078 1083 138ea6b-138ea9a GetCurrentThreadId 1084 138ea9c-138eaa2 1083->1084 1085 138eaa3-138eb05 1083->1085 1084->1085 1091->1083 1092->1083
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 0138E9B6
                  • GetCurrentThread.KERNEL32 ref: 0138E9F3
                  • GetCurrentProcess.KERNEL32 ref: 0138EA30
                  • GetCurrentThreadId.KERNEL32 ref: 0138EA89
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 1a044d8a8d6d14999be2792065df2572f97d4944e9727b884a5d9222ef709d0e
                  • Instruction ID: 5f3956a8f32502cbf62cbb14bf721570b8b3dccfc28eba888f88de227e0c5865
                  • Opcode Fuzzy Hash: 1a044d8a8d6d14999be2792065df2572f97d4944e9727b884a5d9222ef709d0e
                  • Instruction Fuzzy Hash: 315165B09013498FEB54DFA9D548BEEFFF1AF88308F248469D459A7260C7749888CF65
                  Function 0138E938 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1093 138e938-138e9c7 GetCurrentProcess 1097 138e9c9-138e9cf 1093->1097 1098 138e9d0-138ea04 GetCurrentThread 1093->1098 1097->1098 1099 138ea0d-138ea41 GetCurrentProcess 1098->1099 1100 138ea06-138ea0c 1098->1100 1101 138ea4a-138ea62 1099->1101 1102 138ea43-138ea49 1099->1102 1100->1099 1114 138ea65 call 138eee8 1101->1114 1115 138ea65 call 138eb13 1101->1115 1102->1101 1106 138ea6b-138ea9a GetCurrentThreadId 1107 138ea9c-138eaa2 1106->1107 1108 138eaa3-138eb05 1106->1108 1107->1108 1114->1106 1115->1106
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 0138E9B6
                  • GetCurrentThread.KERNEL32 ref: 0138E9F3
                  • GetCurrentProcess.KERNEL32 ref: 0138EA30
                  • GetCurrentThreadId.KERNEL32 ref: 0138EA89
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 3e78219b8c4e8bd25c0481bfdaf5b0c9aa56932ae57b4f91a9bed1af49f48e96
                  • Instruction ID: 6fa83321b2b340cd07b705373217c1e60f19c15fc646889cc507a570f9635aa5
                  • Opcode Fuzzy Hash: 3e78219b8c4e8bd25c0481bfdaf5b0c9aa56932ae57b4f91a9bed1af49f48e96
                  • Instruction Fuzzy Hash: 695165B09003498FEB14DFA9D548B9EFBF1EF48308F208469D119A7260CB749888CF65
                  Function 03000A50 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1138 3000a50-3000a69 1139 3000aec-3000aef 1138->1139 1140 3000a6f-3000a73 1138->1140 1141 3000af0-3000b5e 1140->1141 1142 3000a75-3000a8f 1140->1142 1162 3000b64-3000b8a 1141->1162 1163 3000c18-3000c1d 1141->1163 1147 3000a91-3000a98 1142->1147 1148 3000aa3-3000ac5 1142->1148 1147->1148 1149 3000a9a-3000a9c 1147->1149 1155 3000acc-3000ace 1148->1155 1149->1148 1156 3000ad0-3000adc 1155->1156 1157 3000ae5 1155->1157 1156->1157 1161 3000ade 1156->1161 1157->1139 1161->1157 1167 3000b9a-3000b9f 1162->1167 1168 3000b8c-3000b97 1162->1168 1169 3000ba1 1167->1169 1170 3000ba8-3000bb0 1167->1170 1168->1167 1169->1170 1171 3000bb2-3000bcb 1170->1171 1172 3000bd5-3000c0e KiUserCallbackDispatcher 1170->1172 1171->1172 1176 3000c13 call 300d3c0 1172->1176 1177 3000c13 call 300d3b3 1172->1177 1178 3000c13 call 300d4be 1172->1178 1176->1163 1177->1163 1178->1163
                  APIs
                  • KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,041360D8,03183870,?,00000000,?,00000000,00000000), ref: 03000C07
                  Strings
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID: CallbackDispatcherUser
                  • String ID: Hbq
                  • API String ID: 2492992576-1245868
                  • Opcode ID: dfde06098b1b9a922d305ccbc21f10392e9f2d67bf6da067a60a9b6e67ba2482
                  • Instruction ID: a883def83eab55b5de629d78981dba11887c999595d3716c978da7e60bcfa760
                  • Opcode Fuzzy Hash: dfde06098b1b9a922d305ccbc21f10392e9f2d67bf6da067a60a9b6e67ba2482
                  • Instruction Fuzzy Hash: F1518B383006118FE758EB39C854B2EB7EAAFD5A58F198069E406CB3A1CF74DC068791
                  Function 0138C577 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1179 138c577-138c597 1180 138c599-138c5a6 call 138b4f0 1179->1180 1181 138c5c3-138c5c7 1179->1181 1186 138c5a8 1180->1186 1187 138c5bc 1180->1187 1183 138c5c9-138c5d3 1181->1183 1184 138c5db-138c61c 1181->1184 1183->1184 1190 138c629-138c637 1184->1190 1191 138c61e-138c626 1184->1191 1234 138c5ae call 138cc20 1186->1234 1235 138c5ae call 138cc10 1186->1235 1187->1181 1192 138c639-138c63e 1190->1192 1193 138c65b-138c65d 1190->1193 1191->1190 1195 138c649 1192->1195 1196 138c640-138c647 call 138b4fc 1192->1196 1198 138c660-138c667 1193->1198 1194 138c5b4-138c5b6 1194->1187 1197 138c6f8-138c7b8 1194->1197 1200 138c64b-138c659 1195->1200 1196->1200 1229 138c7ba-138c7bd 1197->1229 1230 138c7c0-138c7eb GetModuleHandleW 1197->1230 1201 138c669-138c671 1198->1201 1202 138c674-138c67b 1198->1202 1200->1198 1201->1202 1204 138c688-138c691 call 138b50c 1202->1204 1205 138c67d-138c685 1202->1205 1210 138c69e-138c6a3 1204->1210 1211 138c693-138c69b 1204->1211 1205->1204 1212 138c6c1-138c6c5 1210->1212 1213 138c6a5-138c6ac 1210->1213 1211->1210 1236 138c6c8 call 138cf20 1212->1236 1237 138c6c8 call 138cef0 1212->1237 1213->1212 1215 138c6ae-138c6be call 138b51c call 138b52c 1213->1215 1215->1212 1218 138c6cb-138c6ce 1220 138c6d0-138c6ee 1218->1220 1221 138c6f1-138c6f7 1218->1221 1220->1221 1229->1230 1231 138c7ed-138c7f3 1230->1231 1232 138c7f4-138c808 1230->1232 1231->1232 1234->1194 1235->1194 1236->1218 1237->1218
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0138C7DE
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 815f21e24f35cf5d87d0273e37b591134f65d27d00aa92db2c5e3cc47cc1e41f
                  • Instruction ID: 73aba81906e2b0d5b69b905dc3db256c764a4fa33f9a1793db3d6a4eaa4009f4
                  • Opcode Fuzzy Hash: 815f21e24f35cf5d87d0273e37b591134f65d27d00aa92db2c5e3cc47cc1e41f
                  • Instruction Fuzzy Hash: FC814770A00B458FDB24EF29D05079ABBF1FF88318F049A2DD486D7A50D774E84ACBA1
                  Function 03003304 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1238 3003304-3003376 1240 3003381-3003388 1238->1240 1241 3003378-300337e 1238->1241 1242 3003393-30033cb 1240->1242 1243 300338a-3003390 1240->1243 1241->1240 1244 30033d3-3003432 CreateWindowExW 1242->1244 1243->1242 1245 3003434-300343a 1244->1245 1246 300343b-3003473 1244->1246 1245->1246 1250 3003480 1246->1250 1251 3003475-3003478 1246->1251 1252 3003481 1250->1252 1251->1250 1252->1252
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03003422
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 450fa0d9869cd2af035a3f79399948c7da52792c8335b123ac8ac51f22c14822
                  • Instruction ID: f0cd730f43081e1167307fa942ea00622bd060fcd6d581cf6f849e1104f4fb25
                  • Opcode Fuzzy Hash: 450fa0d9869cd2af035a3f79399948c7da52792c8335b123ac8ac51f22c14822
                  • Instruction Fuzzy Hash: 3451D2B5C003599FDB15CFA9C884ADEFBF5BF48310F24856AE818AB250D774A845CF90
                  Function 03003310 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1253 3003310-3003376 1254 3003381-3003388 1253->1254 1255 3003378-300337e 1253->1255 1256 3003393-3003432 CreateWindowExW 1254->1256 1257 300338a-3003390 1254->1257 1255->1254 1259 3003434-300343a 1256->1259 1260 300343b-3003473 1256->1260 1257->1256 1259->1260 1264 3003480 1260->1264 1265 3003475-3003478 1260->1265 1266 3003481 1264->1266 1265->1264 1266->1266
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03003422
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 036c61289eec3d6d1c7d72fb03e31b128e5f03c790b831f70cf40107d2ae66ea
                  • Instruction ID: 239408c4638c653250a0849174fb326aa9888a0abdadf06272ab1c78164d4e76
                  • Opcode Fuzzy Hash: 036c61289eec3d6d1c7d72fb03e31b128e5f03c790b831f70cf40107d2ae66ea
                  • Instruction Fuzzy Hash: EB41D0B5D003599FDB15CFA9C884ADEFBB5BF48310F24852AE418AB250D770A845CF91
                  Function 030012DC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1267 30012dc-300591c 1270 3005922-3005927 1267->1270 1271 30059cc-30059ec call 30011b4 1267->1271 1272 3005929-3005960 1270->1272 1273 300597a-30059b2 CallWindowProcW 1270->1273 1278 30059ef-30059fc 1271->1278 1281 3005962-3005968 1272->1281 1282 3005969-3005978 1272->1282 1275 30059b4-30059ba 1273->1275 1276 30059bb-30059ca 1273->1276 1275->1276 1276->1278 1281->1282 1282->1278
                  APIs
                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 030059A1
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID: CallProcWindow
                  • String ID:
                  • API String ID: 2714655100-0
                  • Opcode ID: 8cfc6bcc13d599c805d2d454e4281c2b3768309238f4e2a422a80adf366f04fa
                  • Instruction ID: 5585f073df78a6bfa501a5bbcfad84650518618209c786f4e149dab0ce88e2de
                  • Opcode Fuzzy Hash: 8cfc6bcc13d599c805d2d454e4281c2b3768309238f4e2a422a80adf366f04fa
                  • Instruction Fuzzy Hash: 374129B4904309CFDB14CF99C889AAAFBF5FB89314F24C859D559AB361D770A844CFA0
                  Function 0138456C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1284 138456c-1385a59 CreateActCtxA 1287 1385a5b-1385a61 1284->1287 1288 1385a62-1385abc 1284->1288 1287->1288 1295 1385acb-1385acf 1288->1295 1296 1385abe-1385ac1 1288->1296 1297 1385ae0 1295->1297 1298 1385ad1-1385add 1295->1298 1296->1295 1300 1385ae1 1297->1300 1298->1297 1300->1300
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 01385A49
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: 72adcae8b2d70143ffd71c716eebf11cd042c23ab028b8c72aea0f610a641671
                  • Instruction ID: 33b20177a36a2a81d4903d75cf6aa5158dd9c8e71e1ad12505ca2fb4ebab1171
                  • Opcode Fuzzy Hash: 72adcae8b2d70143ffd71c716eebf11cd042c23ab028b8c72aea0f610a641671
                  • Instruction Fuzzy Hash: 8541C3B0C0071DCBDB24DFA9C88479EFBB5BF45304F24806AD509AB255DBB55945CF90
                  Function 0138598D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 138598d-1385992 1302 138599c-1385a59 CreateActCtxA 1301->1302 1304 1385a5b-1385a61 1302->1304 1305 1385a62-1385abc 1302->1305 1304->1305 1312 1385acb-1385acf 1305->1312 1313 1385abe-1385ac1 1305->1313 1314 1385ae0 1312->1314 1315 1385ad1-1385add 1312->1315 1313->1312 1317 1385ae1 1314->1317 1315->1314 1317->1317
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 01385A49
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: e90ecd184c8d15172b924a6b607ee065f406376c59c3dbbca89c0b95c39db50e
                  • Instruction ID: 056a71dfadd8336f31dc18f733cb09db672e9e58b1d92eb5f1b76b941a957cfe
                  • Opcode Fuzzy Hash: e90ecd184c8d15172b924a6b607ee065f406376c59c3dbbca89c0b95c39db50e
                  • Instruction Fuzzy Hash: 124112B0C0071ACFEB25DFA9C88478DFBB5BF49308F24819AD408AB255DB755985CF90
                  Function 03003517 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(?,?,?), ref: 030035B5
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID: LongWindow
                  • String ID:
                  • API String ID: 1378638983-0
                  • Opcode ID: ba1e370d0d338b37fc76a83ef3be13ec321d2695f08208d5ce34f527a7649092
                  • Instruction ID: 62eee61744650b08dd1a1515b34e877d06109dc79d21041dcf4548e5328b3f7e
                  • Opcode Fuzzy Hash: ba1e370d0d338b37fc76a83ef3be13ec321d2695f08208d5ce34f527a7649092
                  • Instruction Fuzzy Hash: D5216D75800389DFDB02DF95D945BDEBFF4EF49314F18848AD894AB2A1C3355944CBA0
                  Function 0138EB78 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0138EC07
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: fd1ffa273d42f96e43ef94f2cf7bc221bcfee375214de78e08d378540813f982
                  • Instruction ID: 6759ad444ba5bd29e37a8688682f2a5b26e5e359e7c4d5456f1862fa22f120e7
                  • Opcode Fuzzy Hash: fd1ffa273d42f96e43ef94f2cf7bc221bcfee375214de78e08d378540813f982
                  • Instruction Fuzzy Hash: 6F21F4B59002589FDB10CFA9D985ADEFFF4EF48314F14845AE954A7250C3749944CF60
                  Function 0138EB80 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0138EC07
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 4d2116771b19f6d587827058d6a7bf3a6fd101b8d390aa9735e6aa373aa5f712
                  • Instruction ID: cf7feb19bfecae624ad3234602feb1641969d3fb3a8e250b5abf91972ffc40cf
                  • Opcode Fuzzy Hash: 4d2116771b19f6d587827058d6a7bf3a6fd101b8d390aa9735e6aa373aa5f712
                  • Instruction Fuzzy Hash: B821C4B5D002589FDB10CF9AD984ADEFFF4EB48324F14841AE954A7310D374A944CFA5
                  Function 0138C778 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0138C7DE
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: dd8c8e156cde07753b0f7b009bcede48ee0ebe601dba6038aee88c0186c36ad7
                  • Instruction ID: 86a77afa1122c5a3c3826c65fa3544fa9691a96a8186896058e0a6d7f569391b
                  • Opcode Fuzzy Hash: dd8c8e156cde07753b0f7b009bcede48ee0ebe601dba6038aee88c0186c36ad7
                  • Instruction Fuzzy Hash: 111110B6C003498FDB10DF9AD444BDEFBF4AB88324F14842AD428B7210C374A545CFA5
                  Function 03003558 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(?,?,?), ref: 030035B5
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID: LongWindow
                  • String ID:
                  • API String ID: 1378638983-0
                  • Opcode ID: e80d28b705eb63a58c7cc0855f90528fa5acc3e6ecd4e95a7aad814637199305
                  • Instruction ID: 14a1cd888eb27f0c67b5128546105425b7038f8656e3667a4de19fd4524cb246
                  • Opcode Fuzzy Hash: e80d28b705eb63a58c7cc0855f90528fa5acc3e6ecd4e95a7aad814637199305
                  • Instruction Fuzzy Hash: CA1100B58002489FDB10CF9AC585BDEFBF8EB48324F24885AD958A7350C374A944CFA5
                  Function 0129D01C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730402675.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_129d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 545aaa232a2d1c060200e4ef4dbadb66d7cd86625f66138fa26d5872ad51d48f
                  • Instruction ID: 7f0feedc37c03aefe7d922a813157723194cb7c36757dc54219b58f70254653e
                  • Opcode Fuzzy Hash: 545aaa232a2d1c060200e4ef4dbadb66d7cd86625f66138fa26d5872ad51d48f
                  • Instruction Fuzzy Hash: 23214F70614208DFCF15DFACD984B26BFA1EB84354F20CA6DD90A4B246C37AD847DA61
                  Function 0129D1D4 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730402675.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_129d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4957015f93573968f72a854bb888334e2f4b49d120e20ed6874e14078eb47623
                  • Instruction ID: 963c0a3cb706a57cf3637a182fcfc70c4f5df4a6e48b1bb1850bbd2c7316c1d1
                  • Opcode Fuzzy Hash: 4957015f93573968f72a854bb888334e2f4b49d120e20ed6874e14078eb47623
                  • Instruction Fuzzy Hash: A2214671914208EFDF05DF9CCAC0B26BBA1FB84324F20C6ADD9094B257C376D846DA61
                  Function 0129D1CF Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730402675.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_129d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                  • Instruction ID: acbfedc0ebfed8e1659590884739415a3be029cc578424e8005b8fbf34bdb903
                  • Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                  • Instruction Fuzzy Hash: 0711BB75904284DFDB02CF58C6C4B15BFA1FB84228F28C6AAD9494B697C33AD44ADB61
                  Function 0129D017 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730402675.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_129d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                  • Instruction ID: 1a8ebd47f9dc4fbae2adb14849ac6ac303fc2f171e5e0c84266b9e10add4460a
                  • Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                  • Instruction Fuzzy Hash: 6311DD75504284CFDB12CF68D5C4B16FFA1FB84318F28C6AED9094B656C33AD44ADBA2

                  Non-executed Functions

                  Function 01387468 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000002.00000002.1730832575.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_1380000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q
                  • API String ID: 0-2697143702
                  • Opcode ID: 2a5dcdc71ef37a712d58d9e05eb67c1f29978c0265a9d8f77ddc97dba0d661b1
                  • Instruction ID: 41ba99ae332889d98592664816fd8c1f694b58a0f76ec25de765d4e5839c1ce8
                  • Opcode Fuzzy Hash: 2a5dcdc71ef37a712d58d9e05eb67c1f29978c0265a9d8f77ddc97dba0d661b1
                  • Instruction Fuzzy Hash: DC612870E006098FDB19DF6FE95469EBBF3FF88301F14C06AD4149B2A8EB34594A8B54
                  Function 03001A70 Relevance: .3, Instructions: 315COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c8dd55ca8caca4cad18636345342bfa97fd14d19f756292b0a3a431c1e7c665a
                  • Instruction ID: b73ea3a5edd79371b375b162be7c6a75f4f36d9ef3e29474167aff3057a2eca9
                  • Opcode Fuzzy Hash: c8dd55ca8caca4cad18636345342bfa97fd14d19f756292b0a3a431c1e7c665a
                  • Instruction Fuzzy Hash: BE12A7B8C8574A8BD310EF65E84C189BBF1BB71398BD04A19D2621F2E1D7F8156ACF44
                  Function 03000CA8 Relevance: .3, Instructions: 260COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 877fed778fe18ec69ba933ece6ccf5b7037a108e4ec36e1ee0afc3bdbda55cc6
                  • Instruction ID: 4e6555f935930f284ddefee00b67a1ea4bd12a9918b7229f0ec97ec56a2dc798
                  • Opcode Fuzzy Hash: 877fed778fe18ec69ba933ece6ccf5b7037a108e4ec36e1ee0afc3bdbda55cc6
                  • Instruction Fuzzy Hash: 56A15F36E0021A8FCF15DFB4C8805DEB7B6FF85304B25856AE905AB261DB71E955CB40
                  Function 03001A6E Relevance: .2, Instructions: 218COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.1732410489.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_3000000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a3a70f284965ac5a74a12f49fe6f171a69fedccb466c3f2b688f087562838b25
                  • Instruction ID: 36e5028b7b3888d314a8b50780be0734b71be950cb5ce6fde334ecac7b592889
                  • Opcode Fuzzy Hash: a3a70f284965ac5a74a12f49fe6f171a69fedccb466c3f2b688f087562838b25
                  • Instruction Fuzzy Hash: 39C10BB8C8474A8BD710EF74E848189BBF1BFB5394B904A19D2626B2D0DBF4156ACF44