Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report invoicePDF.exe

Overview

General Information

Sample Name:invoicePDF.exe
Analysis ID:320280
MD5:71fbb96e66805ffc1f477b3cd89e1a99
SHA1:deb4d9f604ac1502bc5cd601753e8b588a0eba0b
SHA256:78323d67f56b427a363820b094a4081e652b7e740c75e715fa96fb7ccf96795f
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoicePDF.exe (PID: 5548 cmdline: 'C:\Users\user\Desktop\invoicePDF.exe' MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
    • schtasks.exe (PID: 4392 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • invoicePDF.exe (PID: 4532 cmdline: {path} MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
    • invoicePDF.exe (PID: 3440 cmdline: {path} MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1da8ad:$x1: NanoCore.ClientPluginHost
  • 0x2844ed:$x1: NanoCore.ClientPluginHost
  • 0x1da8ea:$x2: IClientNetworkHost
  • 0x28452a:$x2: IClientNetworkHost
  • 0x1de41d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x28805d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1da615:$a: NanoCore
    • 0x1da625:$a: NanoCore
    • 0x1da859:$a: NanoCore
    • 0x1da86d:$a: NanoCore
    • 0x1da8ad:$a: NanoCore
    • 0x284255:$a: NanoCore
    • 0x284265:$a: NanoCore
    • 0x284499:$a: NanoCore
    • 0x2844ad:$a: NanoCore
    • 0x2844ed:$a: NanoCore
    • 0x1da674:$b: ClientPlugin
    • 0x1da876:$b: ClientPlugin
    • 0x1da8b6:$b: ClientPlugin
    • 0x2842b4:$b: ClientPlugin
    • 0x2844b6:$b: ClientPlugin
    • 0x2844f6:$b: ClientPlugin
    • 0x12f462:$c: ProjectData
    • 0x1da79b:$c: ProjectData
    • 0x2843db:$c: ProjectData
    • 0x13017b:$d: DESCrypto
    • 0x1db1a2:$d: DESCrypto
    00000000.00000002.252586380.0000000003122000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: invoicePDF.exe PID: 5548JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\invoicePDF.exe, ProcessId: 3440, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoicePDF.exe' , ParentImage: C:\Users\user\Desktop\invoicePDF.exe, ParentProcessId: 5548, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', ProcessId: 4392

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORY
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: invoicePDF.exeJoe Sandbox ML: detected
        Source: invoicePDF.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 4x nop then jmp 0A8E2573h0_2_0A8E181A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 4x nop then jmp 0A8E2573h0_2_0A8E181A

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: global trafficTCP traffic: 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: global trafficTCP traffic: 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: Joe Sandbox ViewIP Address: 23.105.131.177 23.105.131.177
        Source: Joe Sandbox ViewIP Address: 23.105.131.177 23.105.131.177
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: invoicePDF.exe, 00000000.00000003.239254455.000000000776D000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: invoicePDF.exe, 00000000.00000003.238816781.0000000007769000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma7
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomma
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: invoicePDF.exe, 00000000.00000003.233861149.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
        Source: invoicePDF.exe, 00000000.00000003.235909054.000000000776B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-u
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/h
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm=o
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-i
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comu=
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr$
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krV
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmp, invoicePDF.exe, 00000000.00000003.233995308.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: invoicePDF.exe, 00000000.00000003.234026172.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcom
        Source: invoicePDF.exe, 00000000.00000003.234011048.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: invoicePDF.exe, 00000000.00000003.239254455.000000000776D000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: invoicePDF.exe, 00000000.00000003.238816781.0000000007769000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma7
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomma
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: invoicePDF.exe, 00000000.00000003.233861149.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
        Source: invoicePDF.exe, 00000000.00000003.235909054.000000000776B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-u
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/h
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm=o
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-i
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comu=
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr$
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krV
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmp, invoicePDF.exe, 00000000.00000003.233995308.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: invoicePDF.exe, 00000000.00000003.234026172.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcom
        Source: invoicePDF.exe, 00000000.00000003.234011048.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: invoicePDF.exeStatic file information: Suspicious name
        Source: invoicePDF.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: invoicePDF.exe
        Source: initial sampleStatic PE information: Filename: invoicePDF.exe
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731D12 NtQuerySystemInformation,0_2_07731D12
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731CD8 NtQuerySystemInformation,0_2_07731CD8
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731D12 NtQuerySystemInformation,0_2_07731D12
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731CD8 NtQuerySystemInformation,0_2_07731CD8
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_00A239460_2_00A23946
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA2CE10_2_02DA2CE1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA00900_2_02DA0090
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA73900_2_02DA7390
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA13180_2_02DA1318
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA87140_2_02DA8714
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA35200_2_02DA3520
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA35110_2_02DA3511
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E181A0_2_0A8E181A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E016C0_2_0A8E016C
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E018E0_2_0A8E018E
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E06220_2_0A8E0622
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_00A239460_2_00A23946
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA2CE10_2_02DA2CE1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA00900_2_02DA0090
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA73900_2_02DA7390
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA13180_2_02DA1318
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA87140_2_02DA8714
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA35200_2_02DA3520
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA35110_2_02DA3511
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E181A0_2_0A8E181A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E016C0_2_0A8E016C
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E018E0_2_0A8E018E
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E06220_2_0A8E0622
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 3_2_001539463_2_00153946
        Source: invoicePDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: invoicePDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258146933.000000000A6B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259308905.000000000AF50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.251366861.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258769757.000000000A860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000003.00000000.249800736.0000000000166000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000004.00000000.250634386.00000000005B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exeBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258146933.000000000A6B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259308905.000000000AF50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.251366861.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258769757.000000000A860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000003.00000000.249800736.0000000000166000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000004.00000000.250634386.00000000005B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exeBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@0/1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731842 AdjustTokenPrivileges,0_2_07731842
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0773180B AdjustTokenPrivileges,0_2_0773180B
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731842 AdjustTokenPrivileges,0_2_07731842
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0773180B AdjustTokenPrivileges,0_2_0773180B
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{118a9c10-50c1-4e67-b833-b6bda89b9c6b}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_01
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\pmeEcpEELE
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{118a9c10-50c1-4e67-b833-b6bda89b9c6b}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_01
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\pmeEcpEELE
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69A8.tmpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69A8.tmpJump to behavior
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\invoicePDF.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\invoicePDF.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe 'C:\Users\user\Desktop\invoicePDF.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe 'C:\Users\user\Desktop\invoicePDF.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: invoicePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: invoicePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: invoicePDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: invoicePDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_012029F8 push cs; ret 0_2_01202A1A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_01202D91 push es; ret 0_2_01202D92
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DAEB33 push edx; ret 0_2_02DAEB3D
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_012029F8 push cs; ret 0_2_01202A1A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_01202D91 push es; ret 0_2_01202D92
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DAEB33 push edx; ret 0_2_02DAEB3D
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to dropped file
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Users\user\Desktop\invoicePDF.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Users\user\Desktop\invoicePDF.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.252586380.0000000003122000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: invoicePDF.exe PID: 5548, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: threadDelayed 626Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: threadDelayed 709Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: foregroundWindowGot 688Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: foregroundWindowGot 700Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: threadDelayed 626Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: threadDelayed 709Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: foregroundWindowGot 688Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: foregroundWindowGot 700Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5480Thread sleep time: -41500s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5988Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 188 > 30Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 626 > 30Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 709 > 30Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5368Thread sleep time: -160000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5480Thread sleep time: -41500s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5988Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 188 > 30Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 626 > 30Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 709 > 30Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5368Thread sleep time: -160000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: vmwareX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE|9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: r#"SOFTWARE\VMware, Inc.\VMware ToolsX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware|9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware |9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWAREX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: QEMUX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: vmwareX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE|9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: r#"SOFTWARE\VMware, Inc.\VMware ToolsX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware|9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware |9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWAREX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: QEMUX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\invoicePDF.exeMemory written: C:\Users\user\Desktop\invoicePDF.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeMemory written: C:\Users\user\Desktop\invoicePDF.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\invoicePDF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\invoicePDF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\invoicePDF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\invoicePDF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\invoicePDF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection111Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection111LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        invoicePDF.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exe100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/a-e0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr$0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.fonts.comic0%Avira URL Cloudsafe
        http://www.sandoll.co.krV0%Avira URL Cloudsafe
        http://www.founder.com.cn/cny0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnt0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
        http://www.founder.com.cn/cn/-u0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.founder.com.cn/cn/h0%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.founder.com.cn/cnt-i0%Avira URL Cloudsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.fonts.comx0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/S0%Avira URL Cloudsafe
        http://www.sajatypeworks.comu=0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/E0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.tiro.comtn0%Avira URL Cloudsafe
        http://www.fontbureau.come.com0%URL Reputationsafe
        http://www.fontbureau.come.com0%URL Reputationsafe
        http://www.fontbureau.come.com0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.tiro.comcom0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cnm=o0%Avira URL Cloudsafe
        http://www.fontbureau.coma70%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.fontbureau.comcomma0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersGinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bTheinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.jiyu-kobo.co.jp/a-einvoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers?invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
              		high
              http://www.tiro.cominvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmp, invoicePDF.exe, 00000000.00000003.233995308.000000000777B000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                		high
                http://www.goodfont.co.krinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.kr$invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.fontbureau.com/designersPinvoicePDF.exe, 00000000.00000003.238816781.0000000007769000.00000004.00000001.sdmpfalse
                  		high
                  http://www.sajatypeworks.cominvoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/cTheinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htminvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://fontfabrik.cominvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fonts.comicinvoicePDF.exe, 00000000.00000003.233861149.000000000777B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sandoll.co.krVinvoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cnyinvoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cntinvoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleaseinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/Y0invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/-uinvoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fonts.cominvoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpfalse
                    		high
                    http://www.sandoll.co.krinvoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/hinvoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.urwpp.deDPleaseinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cninvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnt-iinvoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sakkal.cominvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comxinvoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.cominvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/XinvoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/SinvoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comu=invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.jiyu-kobo.co.jp/EinvoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.tiro.comtninvoicePDF.exe, 00000000.00000003.234011048.000000000777B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.come.cominvoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.tiro.comcominvoicePDF.exe, 00000000.00000003.234026172.000000000777B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cninvoicePDF.exe, 00000000.00000003.235909054.000000000776B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlinvoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnm=oinvoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.coma7invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8invoicePDF.exe, 00000000.00000003.239254455.000000000776D000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comcommainvoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              23.105.131.177
                              		unknownUnited States
                              		396362LEASEWEB-USA-NYC-11UStrue

                              General Information

                              Joe Sandbox Version:31.0.0 Red Diamond
                              Analysis ID:320280
                              Start date:19.11.2020
                              Start time:08:30:20
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 7m 4s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:invoicePDF.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:23
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@8/8@0/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 11.8% (good quality ratio 9%)
                              • Quality average: 49.5%
                              • Quality standard deviation: 29.1%
                              HCA Information:
                              • Successful, ratio: 94%
                              • Number of executed functions: 150
                              • Number of non-executed functions: 1
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:31:18API Interceptor1001x Sleep call for process: invoicePDF.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              23.105.131.177TDToxqrclL.exeGet hashmaliciousBrowse
                                ORDER INQUIRY.pdf.exeGet hashmaliciousBrowse
                                  Purchase Order 4500033557.pdf.exeGet hashmaliciousBrowse
                                    SHIPPING DOCUMENTS.pdf.exeGet hashmaliciousBrowse
                                      SHIPPING INVOICE.pdf.exeGet hashmaliciousBrowse

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        LEASEWEB-USA-NYC-11USinvoice & packing.pdf.exeGet hashmaliciousBrowse
                                        • 23.105.131.164
                                        NXKfWP9SPF0XHRu.exeGet hashmaliciousBrowse
                                        • 23.105.131.214
                                        DOC.exeGet hashmaliciousBrowse
                                        • 23.105.131.162
                                        Shipping_Details.exeGet hashmaliciousBrowse
                                        • 23.105.131.165
                                        2AyWKsCvVF.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        tn9jVPvlMSqAUX5.exeGet hashmaliciousBrowse
                                        • 23.105.131.229
                                        HLiw2LPA8i.rtfGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        TDToxqrclL.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        Ziiq5tI3CT.exeGet hashmaliciousBrowse
                                        • 23.105.131.239
                                        f3wo2FuLN6.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        ORDER INQUIRY.pdf.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        Purchase Order 4500033557.pdf.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        SecuriteInfo.com.Trojan.DownLoader35.34609.25775.exeGet hashmaliciousBrowse
                                        • 192.253.246.138
                                        Proof_of_payment.xlsmGet hashmaliciousBrowse
                                        • 23.105.131.217
                                        invoice tax.xlsmGet hashmaliciousBrowse
                                        • 23.105.131.217
                                        SHIPPING DOCUMENTS.pdf.exeGet hashmaliciousBrowse
                                        • 23.105.131.177
                                        Payment_Order_20201111.xlsxGet hashmaliciousBrowse
                                        • 192.253.246.138
                                        TLpMnhJmg7.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        HDyADDoI3I.exeGet hashmaliciousBrowse
                                        • 192.253.246.143
                                        11.exeGet hashmaliciousBrowse
                                        • 173.234.155.145

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\invoicePDF.exe.log
                                        Process:C:\Users\user\Desktop\invoicePDF.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):641
                                        Entropy (8bit):5.271473536084351
                                        Encrypted:false
                                        SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
                                        MD5:C3EC08CD6BEA8576070D5A52B4B6D7D0
                                        SHA1:40B95253F98B3CC5953100C0E71DAC7915094A5A
                                        SHA-256:28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
                                        SHA-512:5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                        C:\Users\user\AppData\Local\Temp\tmp69A8.tmp
                                        Process:C:\Users\user\Desktop\invoicePDF.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1649
                                        Entropy (8bit):5.177706223059003
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBqOtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3j
                                        MD5:EAAC4199D1BA170974F111BD475BC456
                                        SHA1:394B659987331043A4A866A6E751512D370FB057
                                        SHA-256:4BEBBAEA5EC94A4F0C4686E242E9D175CAEB5B37A1452C446629FA5F1DE27DED
                                        SHA-512:447D27747C7B95969CA5E638F23CC03020B2E5A6FB2410659EED02FF066F97D6DF99A3DBD697F3891F60040BADB52E0715166067F0C3EFA0AF5EAE8DE7138CFC
                                        Malicious:true
                                        Reputation:low
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                        Process:C:\Users\user\Desktop\invoicePDF.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):232
                                        Entropy (8bit):7.024371743172393
                                        Encrypted:false
                                        SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                        MD5:32D0AAE13696FF7F8AF33B2D22451028
                                        SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                        SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                        SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                        Process:C:\Users\user\Desktop\invoicePDF.exe
                                        File Type:Non-ISO extended-ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):2.75
                                        Encrypted:false
                                        SSDEEP:3:fpNpP:f9
                                        MD5:930EF7F1A5AAFEEA4FBB4409AD08C590
                                        SHA1:B3AA518D3C65611A6666E73C606ED7239BF984FA
                                        SHA-256:576ADCB3BBA6BFBFD3B550456E0EEC05258204E2ED46934A206EDED08FB24CD2
                                        SHA-512:C013A4684EB497B988ACA0798BB5A6987694FEF9E9E4A32D019463211B453975BCF602E7469C02DFFBBB3AF93F83808DB4D898C5076DD6B65A271F92F806A548
                                        Malicious:true
                                        Reputation:low
                                        Preview: .X...H
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                        Process:C:\Users\user\Desktop\invoicePDF.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):24
                                        Entropy (8bit):4.584962500721156
                                        Encrypted:false
                                        SSDEEP:3:9bzY6oRDJoTBn:RzWDqTB
                                        MD5:3FCC766D28BFD974C68B38C27D0D7A9A
                                        SHA1:45ED19A78D9B79E46EDBFC3E3CA58E90423A676B
                                        SHA-256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
                                        SHA-512:C7D47BDAABEEBB8C9D9B31CC4CE968EAF291771762FA022A2F55F9BA4838E71FDBD3F83792709E47509C5D94629D6D274CC933371DC01560D13016D944012DA5
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: 9iH...}Z.4..f.....l.d
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                        Process:C:\Users\user\Desktop\invoicePDF.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):5.425704882778696
                                        Encrypted:false
                                        SSDEEP:3:9bzY6oRDJoTBPcgY6oRDMjmPl:RzWDqTdRWDMCd
                                        MD5:CA214D2E41394F5ADA74FA4F2EA15CB5
                                        SHA1:32E3F863838177349F2AF70CA1CE695B3C184166
                                        SHA-256:B6E370AF3F5C1001C79BC19706D1A5B1803C59BC45AEFAB4BD18FC67034F47A1
                                        SHA-512:E9C268BCDE8872F4DD2964ACA6F9C51834E42E2AF7FF2E1C327573CEDC98127B0EDBBF8E76E456FFF82A28FC46A210D91EEEA2242ECED5368D107436B3492C14
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: 9iH...}Z.4..f.....l.d9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                        Process:C:\Users\user\Desktop\invoicePDF.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):426840
                                        Entropy (8bit):7.999608491116724
                                        Encrypted:true
                                        SSDEEP:12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
                                        MD5:963D5E2C9C0008DFF05518B47C367A7F
                                        SHA1:C183D601FABBC9AC8FBFA0A0937DECC677535E74
                                        SHA-256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
                                        SHA-512:0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                        C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exe
                                        Process:C:\Users\user\Desktop\invoicePDF.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):488448
                                        Entropy (8bit):7.843226468010816
                                        Encrypted:false
                                        SSDEEP:12288:CgRJEqCCYu5Poz1wgLZQ9P/wk6ESR2j8xN8r2THYps39BMTFo:CgjEfCYZdiA1RK8D8r2
                                        MD5:71FBB96E66805FFC1F477B3CD89E1A99
                                        SHA1:DEB4D9F604AC1502BC5CD601753E8B588A0EBA0B
                                        SHA-256:78323D67F56B427A363820B094A4081E652B7E740C75E715FA96FB7CCF96795F
                                        SHA-512:F6BDE7C29C8D5C42B8A4B39417E9D61FE9F37AA0A679B94F8D54797362C59DC6288FE25733F94CFC472606CC42BE3391A9EC7BE352E1FE691B82D3A9CEE1155C
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................,...F......nJ... ...`....@.. ....................................@..................................J..S....`..HB........................................................................... ............... ..H............text...t*... ...,.................. ..`.rsrc...HB...`...D..................@..@.reloc...............r..............@..B................PJ......H.......xp.................................................................|....X..?0...P..s....K..d...X'....Aj.|K."...I.q+dm...` .Z.....A...Sr.....WCF.O.r.m.+.k#...`%|.#..@.{.*%...M. ...}..q.(]..Uv...L....0!..^..'..n.?Y...j:zl......|.2z..JeL...K..0<J.....s.[$....E.i..s.[.~Ms....n.......x....b"..... ..qbm...k.TI.Rh...qm.,A9....c..\OD..Q..+8.:..?|....cv..~x^A...).J7..5.d?....:..*N...Z3./c.o..r.Yc?.}............Ug........y.....u.....c3..~.... .N... .

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.843226468010816
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:invoicePDF.exe
                                        File size:488448
                                        MD5:71fbb96e66805ffc1f477b3cd89e1a99
                                        SHA1:deb4d9f604ac1502bc5cd601753e8b588a0eba0b
                                        SHA256:78323d67f56b427a363820b094a4081e652b7e740c75e715fa96fb7ccf96795f
                                        SHA512:f6bde7c29c8d5c42b8a4b39417e9d61fe9f37aa0a679b94f8d54797362c59dc6288fe25733f94cfc472606cc42be3391a9ec7be352e1fe691b82d3a9cee1155c
                                        SSDEEP:12288:CgRJEqCCYu5Poz1wgLZQ9P/wk6ESR2j8xN8r2THYps39BMTFo:CgjEfCYZdiA1RK8D8r2
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................,...F......nJ... ...`....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:f8c492aaaa92dcfe

                                        Static PE Info

                                        General

                                        Entrypoint:0x474a6e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x5FB5BEAB [Thu Nov 19 00:39:07 2020 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v2.0.50727
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74a180x53.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4248.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x72a740x72c00False0.902945857162data7.86853683687IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x760000x42480x4400False0.493106617647data5.4056455766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x7c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x761c00x468GLS_BINARY_LSB_FIRST
                                        RT_ICON0x766280x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4275388049, next used block 4258479509
                                        RT_ICON0x776d00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3771611807, next used block 3167566498
                                        RT_GROUP_ICON0x79c780x30data
                                        RT_GROUP_ICON0x79ca80x14data
                                        RT_VERSION0x79cbc0x39edata
                                        RT_MANIFEST0x7a05c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightLes loups-garous de Thiercelieux 1998
                                        Assembly Version27.0.0.0
                                        InternalName.exe
                                        FileVersion11.0.0.0
                                        CompanyNameLes loups-garous de Thiercelieux
                                        LegalTrademarks
                                        CommentsJeu de la barbichette
                                        ProductNamePtanque
                                        ProductVersion11.0.0.0
                                        FileDescriptionPtanque
                                        OriginalFilename.exe

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        11/19/20-08:31:23.859506TCP2025019ET TROJAN Possible NanoCore C2 60B497114545192.168.2.523.105.131.177

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 19, 2020 08:31:23.388092041 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:23.710218906 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:23.710346937 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:23.859505892 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:24.194200039 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:24.217653036 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:24.550395966 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:24.567853928 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:24.967032909 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:24.967221022 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:24.974666119 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:24.975167990 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:24.992713928 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:24.993043900 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:24.998570919 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:24.998682976 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.002340078 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.002448082 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.004663944 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.004724026 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.004842997 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.008321047 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.008595943 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.012352943 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.012531996 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.018557072 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.018641949 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.022696972 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.022792101 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.322532892 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.344458103 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.344587088 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.352382898 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.360383987 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.361558914 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.367640018 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.370583057 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.370760918 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.374444008 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.378453016 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.378622055 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.382503986 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.387371063 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.387499094 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.390377998 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.394130945 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.394372940 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.398411036 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.402563095 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.402790070 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.406306982 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.410427094 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.410614014 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.428561926 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.428623915 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.428806067 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.438710928 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.438771009 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.438927889 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.700515032 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.720784903 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.720875978 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.730659962 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.740634918 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.740714073 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.749887943 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.752598047 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.752691984 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.762777090 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.772658110 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.772689104 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.772706985 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.772865057 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.777041912 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.780257940 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.780433893 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.785446882 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.788806915 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.788897038 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.806674004 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.806706905 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.806762934 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.806778908 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.806843996 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.806896925 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.810286045 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.828433037 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.828470945 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.828507900 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.838854074 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.838886976 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.838911057 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.838924885 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.838959932 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.839046001 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.856554031 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.856626034 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.856770992 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.856797934 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.856822968 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.856900930 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.893162966 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.893254995 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.912574053 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.922746897 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.922816038 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.924535990 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.928420067 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.928539038 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.932286024 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.936656952 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.938529968 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.940628052 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.962395906 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.962470055 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.962670088 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.962713003 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:25.962779045 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:25.962894917 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.009413958 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.078646898 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.088835955 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.090580940 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.098557949 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.104574919 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.104764938 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.108469009 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.128593922 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.128798008 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.132375002 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.136353016 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.136512995 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.140423059 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.160664082 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.160896063 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.162880898 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.168529987 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.168745041 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.170754910 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.174546003 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.174685955 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.192375898 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.192771912 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.192814112 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.192919970 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.193061113 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.193136930 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.196896076 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.200395107 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.201291084 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.204390049 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.208834887 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.209022045 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.212358952 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.218410969 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.218502998 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.222372055 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.226370096 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.226492882 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.230765104 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.234605074 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.238569975 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.238732100 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.242470026 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.242564917 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.244122982 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.248403072 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.248514891 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.252537966 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.256289959 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.256450891 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.260955095 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.266669035 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.266793966 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.270313025 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.274697065 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.274828911 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.278775930 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.282404900 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.282619953 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.286387920 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.290692091 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.290815115 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.294461012 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.298857927 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.298955917 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.303057909 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.306862116 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.307025909 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.310744047 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.314820051 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.314979076 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.318893909 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.322590113 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.322810888 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.338787079 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.384272099 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.426681042 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.444559097 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.444900036 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.463012934 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.490557909 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.490629911 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.490730047 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.494602919 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.496352911 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.502700090 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.510544062 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.514548063 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.530736923 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.534624100 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.534763098 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.538311005 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.538453102 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.538558960 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.556498051 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.558552027 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.558669090 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.558686972 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.558881044 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.558979988 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.578571081 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.583731890 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.583848953 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.587294102 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.587322950 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.587475061 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.596759081 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.596811056 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.596837997 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.596932888 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.600517035 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.600681067 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.604585886 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.608382940 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.608469009 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.612705946 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.616600037 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.616718054 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.620625019 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.624691010 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.624789953 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.626255989 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.630498886 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.630727053 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.636451006 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.640360117 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.640459061 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.644556046 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.648482084 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.648684978 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.652352095 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.656663895 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.656812906 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.660574913 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.664321899 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.664463997 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.668473005 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.675498009 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.675654888 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.676649094 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.683439970 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.683521032 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.702590942 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.702650070 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.702758074 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.702799082 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.712577105 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.712635040 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.712673903 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.712701082 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.712749958 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.714281082 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.759393930 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.788738012 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.788803101 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.788932085 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.855153084 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.855209112 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.855371952 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.878613949 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.878681898 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.878906965 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.882482052 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.890513897 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.890645027 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.896454096 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.904324055 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.904449940 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.910563946 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.914676905 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.914940119 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.920613050 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.940622091 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.940887928 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.944312096 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.944483042 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.944525957 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.944603920 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.948832989 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.948957920 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.952775955 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.956413031 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.956552029 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.974766016 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.974862099 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.974915981 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.974960089 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.975074053 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.975231886 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.978514910 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.982357025 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.982475996 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.986393929 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.990580082 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:26.990835905 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:26.994816065 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.000292063 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.000480890 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.004206896 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.008529902 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.008698940 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.012809038 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.016545057 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.016733885 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.020348072 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.024503946 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.024727106 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.028811932 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.032742977 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.033035994 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.036381960 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.040749073 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.040937901 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.044455051 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.050914049 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.053771019 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.054393053 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.059067965 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.059273005 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.062383890 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.066628933 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.066827059 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.070545912 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.074781895 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.074978113 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.078691959 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.082403898 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.082725048 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.086595058 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.090537071 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.090773106 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.094413996 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.100425005 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.100584030 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.104468107 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.108683109 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.108827114 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.112509012 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.118372917 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.118505001 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.123248100 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.128529072 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.128617048 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.132734060 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.136605024 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.136694908 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.158531904 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.162585974 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.162924051 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.164405107 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.164562941 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.164644003 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.184617996 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.188469887 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.188664913 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.188684940 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.188704967 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.188774109 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.188813925 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.192732096 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.192841053 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.196543932 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.200342894 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.200459003 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.205040932 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.208726883 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.208837032 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.212593079 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.216603041 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.216701984 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.222522974 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.242666960 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.242805958 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.246819973 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.247021914 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.247091055 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.248464108 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.252506018 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.252602100 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.256432056 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.260679960 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.260783911 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.264683008 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.268372059 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.268498898 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.272485018 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.276465893 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.276595116 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.282613993 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.288477898 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.288578033 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.292433977 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.298701048 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.298798084 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.318595886 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.322869062 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.322968006 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.328479052 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.330539942 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.330631018 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.332473993 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.336714029 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.336797953 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.341126919 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.345506907 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.345593929 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:27.363183975 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.363234997 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:27.363385916 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:28.065188885 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:28.427690029 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:28.549844980 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:28.594966888 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:28.924197912 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:28.941608906 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:29.261025906 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:29.261253119 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:29.585053921 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:29.634533882 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:29.986983061 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:30.040848017 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:30.549228907 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:30.924052000 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:30.924173117 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:31.348438978 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:31.348541021 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:31.732806921 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:31.734316111 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:31.818114042 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:34.049287081 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:34.201807022 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:36.542220116 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:36.909328938 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:39.049683094 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:39.104110956 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:40.653314114 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:40.698118925 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:41.545047998 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:41.906893969 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:44.046230078 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:44.088844061 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:47.558504105 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:47.939013958 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:48.660710096 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:48.714262962 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:49.047827005 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:49.104887962 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:52.950378895 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:53.322868109 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:54.103686094 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:54.152334929 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:56.706854105 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:56.761797905 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:58.950723886 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:59.049895048 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:31:59.090116978 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:31:59.312118053 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:04.114483118 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:04.168663025 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:04.664033890 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:04.715709925 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:04.950427055 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:05.312390089 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:09.054038048 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:09.108247995 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:09.951004028 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:10.317073107 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:12.685782909 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:12.732223988 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:14.059211016 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:14.107173920 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:15.015176058 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:15.419799089 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:15.480526924 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:15.870059967 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:19.056559086 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:19.107434988 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:20.688420057 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:20.732691050 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:20.999313116 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:21.358705997 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:24.058240891 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:24.107826948 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:27.015177965 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:27.371699095 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:28.671808004 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:28.717592955 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:29.060887098 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:29.108331919 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:32.999571085 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:33.361829042 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:34.060301065 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:34.108630896 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:36.683063984 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:36.734236956 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:39.000588894 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:39.064950943 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:39.109124899 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:39.390491962 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:39.402975082 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:39.819075108 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:44.066936970 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:44.109503984 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:44.684956074 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:44.734682083 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:45.000840902 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:45.362337112 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:49.062524080 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:49.109999895 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:51.017200947 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:51.391452074 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:51.391578913 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:51.712944031 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:52.693089008 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:52.735546112 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:54.080533981 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:54.125958920 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:57.001625061 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:32:57.361958027 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:59.069253922 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:32:59.110754967 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:00.695055962 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:00.751605988 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:03.002522945 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:03.363459110 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:04.069130898 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:04.111227036 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:08.699991941 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:08.752293110 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:09.002800941 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:09.079799891 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:09.127322912 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:09.377341032 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:09.402178049 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:09.510482073 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:09.510564089 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:09.746126890 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:14.068276882 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:14.112178087 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:15.003427982 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:15.372065067 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:16.701817989 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:16.752868891 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:19.072880030 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:19.128159046 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:20.929124117 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:21.300137043 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:21.300285101 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:21.623030901 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:24.070529938 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:24.206633091 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:24.487896919 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:24.488012075 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:24.707818985 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:24.816072941 CET497114545192.168.2.523.105.131.177
                                        Nov 19, 2020 08:33:25.121905088 CET45454971123.105.131.177192.168.2.5
                                        Nov 19, 2020 08:33:25.122164011 CET497114545192.168.2.523.105.131.177

                                        Code Manipulations

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: invoicePDF.exe PID: 5548 Parent PID: 5744

                                        General

                                        Start time:08:31:12
                                        Start date:19/11/2020
                                        Path:C:\Users\user\Desktop\invoicePDF.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\invoicePDF.exe'
                                        Imagebase:0x9c0000
                                        File size:488448 bytes
                                        MD5 hash:71FBB96E66805FFC1F477B3CD89E1A99
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.252586380.0000000003122000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: schtasks.exe PID: 4392 Parent PID: 5548

                                        General

                                        Start time:08:31:19
                                        Start date:19/11/2020
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
                                        Imagebase:0xde0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 340 Parent PID: 4392

                                        General

                                        Start time:08:31:19
                                        Start date:19/11/2020
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7ecfc0000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: invoicePDF.exe PID: 4532 Parent PID: 5548

                                        General

                                        Start time:08:31:20
                                        Start date:19/11/2020
                                        Path:C:\Users\user\Desktop\invoicePDF.exe
                                        Wow64 process (32bit):false
                                        Commandline:{path}
                                        Imagebase:0xf0000
                                        File size:488448 bytes
                                        MD5 hash:71FBB96E66805FFC1F477B3CD89E1A99
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: invoicePDF.exe PID: 3440 Parent PID: 5548

                                        General

                                        Start time:08:31:20
                                        Start date:19/11/2020
                                        Path:C:\Users\user\Desktop\invoicePDF.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x540000
                                        File size:488448 bytes
                                        MD5 hash:71FBB96E66805FFC1F477B3CD89E1A99
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        Chronological Activities

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Analysis Process: invoicePDF.exe PID: 5548 Parent PID: 5744 invoicePDF.exeCOMMON

                                          Executed Functions

                                          Function 0A8E181A, Relevance: 7.0, Strings: 5, Instructions: 781COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: ($X*m$q${$~
                                          • API String ID: 0-1744912259
                                          • Opcode ID: 7edb23027afa351409a358ca18eca5d5e23d251742349671378ccc5be327d81c
                                          • Instruction ID: 630574dddab610fde4961d71ef68340a6861684c4a0b39e1d6cd333eaa1b8b7e
                                          • Opcode Fuzzy Hash: 7edb23027afa351409a358ca18eca5d5e23d251742349671378ccc5be327d81c
                                          • Instruction Fuzzy Hash: D872DE70D49229CFDB64DF68C848BEDBAB5BB5A304F1082EA8119A7291DB745EC4CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA3511, Relevance: 5.0, Strings: 3, Instructions: 1211COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: ;6WI$;6WI$ft`
                                          • API String ID: 0-826372038
                                          • Opcode ID: 64206b45d2233cbdd17adf9ec03bc6a873bea77dbe2ac3465d3205a2b115bc10
                                          • Instruction ID: cc1c2d75d4e108003de0ccafd5e734fe6359adaf803105bbab992c5cd746b12a
                                          • Opcode Fuzzy Hash: 64206b45d2233cbdd17adf9ec03bc6a873bea77dbe2ac3465d3205a2b115bc10
                                          • Instruction Fuzzy Hash: 1BD2C234A006199FDB24DF64DD88ADDB7B2FB99301F4180E5E50AA7364DB75AE88CF04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA3520, Relevance: 5.0, Strings: 3, Instructions: 1207COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: ;6WI$;6WI$ft`
                                          • API String ID: 0-826372038
                                          • Opcode ID: 73b51aad159b280c94aadcbd4615eb9ee1b4d39fdd46e395fb8fdbe9e3d8aa44
                                          • Instruction ID: 638152da5854574d488bac082bc508a929664b62d2310f79261098b1e04cc91d
                                          • Opcode Fuzzy Hash: 73b51aad159b280c94aadcbd4615eb9ee1b4d39fdd46e395fb8fdbe9e3d8aa44
                                          • Instruction Fuzzy Hash: 63D2C234A006199FDB24DF64DD88ADDB7B2FB99301F4180E5E50AA7364DB75AE88CF04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E016C, Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: s$v
                                          • API String ID: 0-3782752948
                                          • Opcode ID: 59fd37e0971363650aa1143f6e2ae17478d8eed5594e461cf06af2dd5ab14fdf
                                          • Instruction ID: cb2d00bfd0891271b3e50b0baba0f604ca0687e4b6ab74fddc0d47385a47c7d6
                                          • Opcode Fuzzy Hash: 59fd37e0971363650aa1143f6e2ae17478d8eed5594e461cf06af2dd5ab14fdf
                                          • Instruction Fuzzy Hash: 97D11770D8A21CDFDB24CFA5D5487ADBBB5BB4A309F10A869C00AF7291D7B44A84CF15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E018E, Relevance: 2.8, Strings: 2, Instructions: 308COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: s$v
                                          • API String ID: 0-3782752948
                                          • Opcode ID: 34e0d7dec809f26ca3f27985af215a75ae03b6eb1bdec40011fe02958a1e1e10
                                          • Instruction ID: 3756ee514e90fda104e242972ca8d59e6a27e276398e5acdf89bd4afe8a751b3
                                          • Opcode Fuzzy Hash: 34e0d7dec809f26ca3f27985af215a75ae03b6eb1bdec40011fe02958a1e1e10
                                          • Instruction Fuzzy Hash: 96C14A70D8A31CDFDB24DF65D4487ADBBB6BB4A309F10A4A9D00AE7291C7B44A84CF15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E0622, Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: s$v
                                          • API String ID: 0-3782752948
                                          • Opcode ID: 815cb6e701a4b423820689a79947cb7d307e3eb4cfdfe3e06025960d13bb8c81
                                          • Instruction ID: d7c8f4220a879d34a9d2df355b974eac0633475b7790351c02eeef401d2d0518
                                          • Opcode Fuzzy Hash: 815cb6e701a4b423820689a79947cb7d307e3eb4cfdfe3e06025960d13bb8c81
                                          • Instruction Fuzzy Hash: B6A14870D8A21CCFDB64DF65D4447ADBBB6BB4A309F10A4A9C00AF7291D7B44A84CF15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0773180B, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0773188B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: AdjustPrivilegesToken
                                          • String ID:
                                          • API String ID: 2874748243-0
                                          • Opcode ID: 2f7817a115d78283ce0e220d5e0e20cb9ee4133bc1345c4bedcbab24423c56a1
                                          • Instruction ID: f598394a9d45ed09474977cc52add9cda694b78280760e3d1340fefc5db95e7e
                                          • Opcode Fuzzy Hash: 2f7817a115d78283ce0e220d5e0e20cb9ee4133bc1345c4bedcbab24423c56a1
                                          • Instruction Fuzzy Hash: 5E21A3755097849FDB128F25DC40B92BFF4EF16320F0985EAE9858F163D2709908CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731CD8, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 07731D4D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: InformationQuerySystem
                                          • String ID:
                                          • API String ID: 3562636166-0
                                          • Opcode ID: 0541e6016979ff410e2abad27ce61003ab64e6a4e79dcacbc00cc017437934b8
                                          • Instruction ID: 98257fcf20d8b93b147cac35371820d719aab345d1d39313e3cb25a472f857ec
                                          • Opcode Fuzzy Hash: 0541e6016979ff410e2abad27ce61003ab64e6a4e79dcacbc00cc017437934b8
                                          • Instruction Fuzzy Hash: BD119A764097C49FDB228F21DC45A92FFB4EF07324F0984DAED884B163D265A918DB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731842, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0773188B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: AdjustPrivilegesToken
                                          • String ID:
                                          • API String ID: 2874748243-0
                                          • Opcode ID: d2944c8901a99acde0fd4f020e92bb1e3a4b20477a608b02914c69ccda1c5e8d
                                          • Instruction ID: de88b905abf048a6096a0f5f24b2aabf1ef1a10297ffb54ff27d6176554c84d6
                                          • Opcode Fuzzy Hash: d2944c8901a99acde0fd4f020e92bb1e3a4b20477a608b02914c69ccda1c5e8d
                                          • Instruction Fuzzy Hash: CF115EB55006059FDB208F55D884B96FBE4EF04320F08C87AED958B652D271E418CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731D12, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 07731D4D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: InformationQuerySystem
                                          • String ID:
                                          • API String ID: 3562636166-0
                                          • Opcode ID: c627d5857f73d9795dd1bdce531a504add30f60da09269ec88a24274bc3ef76b
                                          • Instruction ID: e2b29b63861e45213253d5a0fb81008645c3c68044db328313921002dfccd0e1
                                          • Opcode Fuzzy Hash: c627d5857f73d9795dd1bdce531a504add30f60da09269ec88a24274bc3ef76b
                                          • Instruction Fuzzy Hash: 6401A275410A449FDB208F15D844B65FFA4EF49320F08C49ADD894B252C375A418CFB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0090, Relevance: .5, Instructions: 504COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 707fffd37a498432a90a9499f6959fffde9703dce13e7bc841aaaaa559d4a20b
                                          • Instruction ID: 814e010479997532a381a48cdb1bb5e69bf35201a0dfbe03a37c16b5d852a1bb
                                          • Opcode Fuzzy Hash: 707fffd37a498432a90a9499f6959fffde9703dce13e7bc841aaaaa559d4a20b
                                          • Instruction Fuzzy Hash: 8632B0B0900259CFDB64DBA8C584A8DFBB2FF49309F55C1A5D488AB312CB349D85CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1318, Relevance: .5, Instructions: 488COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e527fd65f121e3145f3ce797c1e9543e2641f168771c2baf991c7ee6d26e127
                                          • Instruction ID: b803f98d40a031bb963dac3839bc139d2a3cda53035a5ddea7d43826fdf6d011
                                          • Opcode Fuzzy Hash: 2e527fd65f121e3145f3ce797c1e9543e2641f168771c2baf991c7ee6d26e127
                                          • Instruction Fuzzy Hash: 5E427D74E00228DFCB64CFA9D994A9DBBF2FF48314F1081A9E819A7355D734AA81CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA2CE1, Relevance: .5, Instructions: 484COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f16880f589793b76eca0a20f803010d01007b0b8d3d743fdc0e945cff352a55
                                          • Instruction ID: aa996e6d5caccd4a90d62791ccbcb14705fdce469094eac74c7a6feadbf05a68
                                          • Opcode Fuzzy Hash: 6f16880f589793b76eca0a20f803010d01007b0b8d3d743fdc0e945cff352a55
                                          • Instruction Fuzzy Hash: 1332BD709002598FDB64DFA9C584A8DFBB2FF49309F55C1A9D488AB712CB309981CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA8714, Relevance: .4, Instructions: 445COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cddfb6c2b55bb656f8d7f371d8e8223c8a5484eee0173b7cb682ef519879bf94
                                          • Instruction ID: e4edd3da2f05381e180ec3c8864cf7a562fbdacb5b2bebba8048ebdcbe5c3f92
                                          • Opcode Fuzzy Hash: cddfb6c2b55bb656f8d7f371d8e8223c8a5484eee0173b7cb682ef519879bf94
                                          • Instruction Fuzzy Hash: 5622BD74945228CFDB24CF64C858BEDBBB1BB4A304F1081E9D84AA73A1DB709E85DF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA7390, Relevance: .2, Instructions: 175COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1e3a837784f891ffef595b3f3443768d7be2420637537a5f7cabcf9aec592fd
                                          • Instruction ID: f392ae1c94f6b55bd30a896ad3f2524937ecdc0c7ac2b1177de4d38d61afa512
                                          • Opcode Fuzzy Hash: c1e3a837784f891ffef595b3f3443768d7be2420637537a5f7cabcf9aec592fd
                                          • Instruction Fuzzy Hash: 7D71CFB0E05218CFEB04DFA9C594AAEFBF2FB88304F249569D449A7345D7789982CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAF5FC, Relevance: 2.7, Strings: 2, Instructions: 244COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: t$y
                                          • API String ID: 0-1955082656
                                          • Opcode ID: 369c83cdb216f1c23a9fa475a480b6afb5617fbac277a2caab68ae2d2d073fd3
                                          • Instruction ID: a30070837ce3ef384aebed6cb190c4a51abdaeaa8f9c66aef2e4e2053f031a1a
                                          • Opcode Fuzzy Hash: 369c83cdb216f1c23a9fa475a480b6afb5617fbac277a2caab68ae2d2d073fd3
                                          • Instruction Fuzzy Hash: F0A13970D09209CFCB00CFA8C490AADBBB5FF4A324F649695D4A5AB795C3369D42CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120A2AC, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0120A346
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: ConsoleCtrlHandler
                                          • String ID:
                                          • API String ID: 1513847179-0
                                          • Opcode ID: 3fdcbb13dca3f56e82300300f30ca8c533503cd54310a1a7be180922ec13798b
                                          • Instruction ID: cd73e356a462a429b4e0cbe13b7805da613e50d122ee0892ae00c0366c18586d
                                          • Opcode Fuzzy Hash: 3fdcbb13dca3f56e82300300f30ca8c533503cd54310a1a7be180922ec13798b
                                          • Instruction Fuzzy Hash: 5541B5754093806FD7128F25DC45B62BFB8EF46620F0985DBED848B253D264A909CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077312B7, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 07731367
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 2eb4c3c02a4b6d74bd5e4185df97fe87cb0bf3120b93975c0ba634296d88e0b4
                                          • Instruction ID: d86ff8b25bf4e918e5362ff5d87fa2d05e41951f0574e42c2e603c41c6998e2c
                                          • Opcode Fuzzy Hash: 2eb4c3c02a4b6d74bd5e4185df97fe87cb0bf3120b93975c0ba634296d88e0b4
                                          • Instruction Fuzzy Hash: F131B4B15043846FEB128B65DC44FA6BFBCEF06310F0889AAF985CB152D764A909DB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07730BA6, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 07730C50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: InformationToken
                                          • String ID:
                                          • API String ID: 4114910276-0
                                          • Opcode ID: 3d2a26afb79948e21857f58f5cc39507d9918f85b6da175ab98a6587d9d1c83a
                                          • Instruction ID: 4536736b55ef3841742a76305601e59f080c59998e89f70b671b60df1f67e648
                                          • Opcode Fuzzy Hash: 3d2a26afb79948e21857f58f5cc39507d9918f85b6da175ab98a6587d9d1c83a
                                          • Instruction Fuzzy Hash: F831C7B15093806FEB228F65DC85F97BFB8EF06310F08889AE985DF153D624A508D7B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0120ACD1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: d2afb30cf42c723da770d1ed24b7b06c4f657deeda9f0879988c45b7e6e390a7
                                          • Instruction ID: 28009462c7e34657531addd5d846c09fe8e97b974af5e34e123510431cbc0407
                                          • Opcode Fuzzy Hash: d2afb30cf42c723da770d1ed24b7b06c4f657deeda9f0879988c45b7e6e390a7
                                          • Instruction Fuzzy Hash: 5131B6715043846FE7128B65CC85FA7BFBCEF05310F08859AED819B152D265A509CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07730734, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 077307D5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: a955eceea826ddcc18dc8a3aa694cd91bfaa8b9d9a7660cb747ebf6c6e36bb1b
                                          • Instruction ID: 854f1b904979fdb5c9696e2aa08d63efc47fa0be7e0081de1afec17b344e545f
                                          • Opcode Fuzzy Hash: a955eceea826ddcc18dc8a3aa694cd91bfaa8b9d9a7660cb747ebf6c6e36bb1b
                                          • Instruction Fuzzy Hash: B3316FB1505384AFE722CF65DC44F66BFE8EF05620F0888AEE9859B252D375E409CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07730556, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexW.KERNELBASE(?,?), ref: 077305FD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID:
                                          • API String ID: 1964310414-0
                                          • Opcode ID: 54232013fab2670c1e8c06a917f2231ac5fcad5142ea0fd6f26006a6868465a7
                                          • Instruction ID: 78a654dbbe4766662abfc5359eb6fda3a57aa0143d4643df94be042d4e6e5806
                                          • Opcode Fuzzy Hash: 54232013fab2670c1e8c06a917f2231ac5fcad5142ea0fd6f26006a6868465a7
                                          • Instruction Fuzzy Hash: 8E3191B5509780AFE712CB25DC84F56FFF8EF06210F08849AE984CB293D365E909CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 0120ADD4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: 145f8ab53d24c1e10c73757d23ba57565600a6c51157694474981f23c9fd02ec
                                          • Instruction ID: 5dc49021248464f37bc90655924d064e75d6bf07d4551cb6563a98a2b6ba72a7
                                          • Opcode Fuzzy Hash: 145f8ab53d24c1e10c73757d23ba57565600a6c51157694474981f23c9fd02ec
                                          • Instruction Fuzzy Hash: F93193715093846FE722CB65CC85F96BFB8EF06310F08859AEA85CB193D264E549CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731B3C, Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                          • TerminateProcess.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 07731BD0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: ProcessTerminate
                                          • String ID:
                                          • API String ID: 560597551-0
                                          • Opcode ID: 4440ce0740e62be73c3abec327923d68fc4cb71455d9489352fd2242f0ae7792
                                          • Instruction ID: 69ef54b0dfc2016445f45273fd93a4d62b1319dd3a6c3f2b793c5db1a20fe07d
                                          • Opcode Fuzzy Hash: 4440ce0740e62be73c3abec327923d68fc4cb71455d9489352fd2242f0ae7792
                                          • Instruction Fuzzy Hash: C42107B15097846FE7128B24DC85B96BFB8EF02320F0884EBE984CF193D264A505C771
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07730ED7, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                          • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 07730F73
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: OpenPolicy
                                          • String ID:
                                          • API String ID: 2030686058-0
                                          • Opcode ID: cb921bd630ce68e25bfe1d0ce73db375ded8ca72b57569b70abd9b99b672291b
                                          • Instruction ID: 013facaabcd9f65dd18ffdf2e2909f0fd077b7e39e82c2770112a7b369b29be6
                                          • Opcode Fuzzy Hash: cb921bd630ce68e25bfe1d0ce73db375ded8ca72b57569b70abd9b99b672291b
                                          • Instruction Fuzzy Hash: E62182B2504344AFEB21DF65DC85FAAFFB8EF05310F18889AED849B152D265E508CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077312EA, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 07731367
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 7c76f67ab7d1a9a757b28fb7088e95f857b41cb437f6fd1baab2b567f4f64a7e
                                          • Instruction ID: 63fee7f5b76fdab4ddcf293fa3a865efe8433c6c9d7ed0955f500c4d897c57b0
                                          • Opcode Fuzzy Hash: 7c76f67ab7d1a9a757b28fb7088e95f857b41cb437f6fd1baab2b567f4f64a7e
                                          • Instruction Fuzzy Hash: AB21C4B1500608AFEB21DF69DC84F6AFBACEF04310F14886AED458B551D674E4048BB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077313C5, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNELBASE(?), ref: 0773144C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: b63e19ce1110ff98b1958389c7cffb32f3b989c5d7ba7350d8af231acfcf731f
                                          • Instruction ID: aaa86f65e0dfe1cc6813e5c4b0cf6fc8f76d48b66d8d1f3f51b78d87ed6c2af6
                                          • Opcode Fuzzy Hash: b63e19ce1110ff98b1958389c7cffb32f3b989c5d7ba7350d8af231acfcf731f
                                          • Instruction Fuzzy Hash: 4F218D765097C49FE712CB25DC50B92BFA49F17210F0984DAD8848F2A3D265A908CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07730756, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 077307D5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 849ac9ef4ed41cb1fde5bdde5ee5c65499437b2ed834ee0ae7df94a5d9a15372
                                          • Instruction ID: d4c56541b36739a32b3290c21e0054613bc0f682580a7c30f8f5caacd99d85d2
                                          • Opcode Fuzzy Hash: 849ac9ef4ed41cb1fde5bdde5ee5c65499437b2ed834ee0ae7df94a5d9a15372
                                          • Instruction Fuzzy Hash: C1219DB1501644AFEB21DF69DC84B66FBE8EF08720F18886EE9858B652D771E404CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0773082C, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileType.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 077308C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: FileType
                                          • String ID:
                                          • API String ID: 3081899298-0
                                          • Opcode ID: 3b4249d15c5ba2996aa30ffb20d47b1fe623cc97266f3e669527e487b52a9e7e
                                          • Instruction ID: 67b8e59699dded1ef7c37ad203bd8637455f739a4db11e2fbba2f91b993e6e67
                                          • Opcode Fuzzy Hash: 3b4249d15c5ba2996aa30ffb20d47b1fe623cc97266f3e669527e487b52a9e7e
                                          • Instruction Fuzzy Hash: 852107B54097806FE7128B25DC40BA6BFB8EF46720F08849AED848B153D364A909D7B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0120ACD1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: ab8a7cd01176021dc2aaed2ea7359fcaf4496444ff8d1b19ffa1f1e713e2e4db
                                          • Instruction ID: 79e12bbad5f35124e4f230e355d5f903906362d4c8be278ca291a12e2007dba4
                                          • Opcode Fuzzy Hash: ab8a7cd01176021dc2aaed2ea7359fcaf4496444ff8d1b19ffa1f1e713e2e4db
                                          • Instruction Fuzzy Hash: 6821C3B2510304AFE721DF59DC85FABFBECEF04310F14895AEE459B282D664E5088BB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120BF11, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0120BF93
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 5e5a3b6a11a50db18f8481227996d3317a2d367dca58fc00f39d398945fd5d96
                                          • Instruction ID: 8a89ce5218d0e000bcabc7a6b66ea2364f98c72db72da8080d23ff9c2b812b3a
                                          • Opcode Fuzzy Hash: 5e5a3b6a11a50db18f8481227996d3317a2d367dca58fc00f39d398945fd5d96
                                          • Instruction Fuzzy Hash: C8218E75509384AFDB22CF25DC44B52BFF8EF06210F0985DAE9858F663D265E808CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07730F02, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 07730F73
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: OpenPolicy
                                          • String ID:
                                          • API String ID: 2030686058-0
                                          • Opcode ID: 0a9e6a1e5ac0cfd01a7eabe0d1b9e102bf57c69761393b82cef3631a5be2ce03
                                          • Instruction ID: 9f61e8084b6e8b438ebaed3d5faddabfbc9acd1d6df638db30544aa2ed1981d1
                                          • Opcode Fuzzy Hash: 0a9e6a1e5ac0cfd01a7eabe0d1b9e102bf57c69761393b82cef3631a5be2ce03
                                          • Instruction Fuzzy Hash: D82193B5900205AFEB20DF69DC85F6AFBACEF44710F14886AED449B242D674E508CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0773058A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexW.KERNELBASE(?,?), ref: 077305FD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID:
                                          • API String ID: 1964310414-0
                                          • Opcode ID: ca5288e34ffe4d436385021865d6bd4d68578b01817ad5dbbfe0f630d531a584
                                          • Instruction ID: 70997eb6b0c28b514d678c0a106caae0736c990876016e03f7c811a80728adb4
                                          • Opcode Fuzzy Hash: ca5288e34ffe4d436385021865d6bd4d68578b01817ad5dbbfe0f630d531a584
                                          • Instruction Fuzzy Hash: AE21A1B1605244AFE720DF69DC85F6AFBE8EF04310F14846AED499B242D775E404CB75
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077309DE, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 07730A5D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: 8358461cf5b1b24a094353ee4fd4feda0acefe07f32c8b01199377dfbf9f30e2
                                          • Instruction ID: 17a41d040b32f365233d46e388df64ef86c16bdb6b6cc4742be233d31bd2fee7
                                          • Opcode Fuzzy Hash: 8358461cf5b1b24a094353ee4fd4feda0acefe07f32c8b01199377dfbf9f30e2
                                          • Instruction Fuzzy Hash: 442162B1509344AFDB22CF55DC84F96BFB8EF45310F0888AAEA859B152D264A408CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07730BE6, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 07730C50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: InformationToken
                                          • String ID:
                                          • API String ID: 4114910276-0
                                          • Opcode ID: 11b2bbe75cc4ee31ad1bdc2ebc7832eb33af451451637973fef8821d0153aa3c
                                          • Instruction ID: eaaa8dc4e02bdca5f55999c5418d88b8b9f503dffb13c6981c7d6e3862c986af
                                          • Opcode Fuzzy Hash: 11b2bbe75cc4ee31ad1bdc2ebc7832eb33af451451637973fef8821d0153aa3c
                                          • Instruction Fuzzy Hash: 771172B1500305AFEB21DF69DC85FAAFBACEF44320F14886AEA49DB152D674A404CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 0120ADD4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: 22f48bdd5c61f05fb3f59649b5f7706df051bff35864cf4a687c14d1e6434373
                                          • Instruction ID: 7cd67e669d5396f5b82a779e9c7003771b87ff500e3c38b0f93519ee029e6819
                                          • Opcode Fuzzy Hash: 22f48bdd5c61f05fb3f59649b5f7706df051bff35864cf4a687c14d1e6434373
                                          • Instruction Fuzzy Hash: 3B218EB1510704AFE722DF69DC81FA6BBECEF04711F08856AEE458B292D760E444CAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0773198D, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32EnumProcesses.KERNEL32(?,?,?,15C2A938,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 077319FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: EnumProcesses
                                          • String ID:
                                          • API String ID: 84517404-0
                                          • Opcode ID: c9ca788533d8dd3224443c08b65686736947b415d1f1ab7f3260b29da9e8815e
                                          • Instruction ID: d2805e5b74cae6ea0e9d003c1e8187bc84e72a0b6778573f3cf00a3c3c41ba14
                                          • Opcode Fuzzy Hash: c9ca788533d8dd3224443c08b65686736947b415d1f1ab7f3260b29da9e8815e
                                          • Instruction Fuzzy Hash: 5C214C715093849FD712CF65DC85A96BFE8AF06210F0984EAE985CB263D264A908CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731C29, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07731C9C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 2d0f8963393bb4edcfbd8359607c3e5c982f5557ecf3efa5a38690afb40957b5
                                          • Instruction ID: 62d3f30d75e8918d3a1a669991a52aa68455d389a20d2e81f896d16ce2aaaea6
                                          • Opcode Fuzzy Hash: 2d0f8963393bb4edcfbd8359607c3e5c982f5557ecf3efa5a38690afb40957b5
                                          • Instruction Fuzzy Hash: F721D2B51097859FDB228F25DC44A52FFB4EF06310F0884DEED858B263D275E858DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0120B4A9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoadShim
                                          • String ID:
                                          • API String ID: 1475914169-0
                                          • Opcode ID: f00dcf79659d47024245ce779c6014fb92825cebd97accf9b69c504c747a8810
                                          • Instruction ID: db686079fb94591ec72eab1cddf143828cb13522109f17e163cbb095ec5e3921
                                          • Opcode Fuzzy Hash: f00dcf79659d47024245ce779c6014fb92825cebd97accf9b69c504c747a8810
                                          • Instruction Fuzzy Hash: B921D5754093805FDB228F19DC40B62FFF8EF16210F09808AED84CB293D265E908C771
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731E25, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 07731E99
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 1db2df442682c29cbc5b75a7eb467e92f08f9617857512a21d508b0aea365197
                                          • Instruction ID: 671a733f2255e85c3fce31bbc9546ac8c77eda93f0b2d11e82c821b6ad64a186
                                          • Opcode Fuzzy Hash: 1db2df442682c29cbc5b75a7eb467e92f08f9617857512a21d508b0aea365197
                                          • Instruction Fuzzy Hash: 1C218C724097C49FDB238F25CC44A52BFB4EF17210F0985DAE9848F163D265A818DB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731B7A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • TerminateProcess.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 07731BD0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: ProcessTerminate
                                          • String ID:
                                          • API String ID: 560597551-0
                                          • Opcode ID: 77953395113ad804d59dd74497b4c80b97c64a36f5c57e8a420fe97fe0ff473b
                                          • Instruction ID: 28929b04c8bb097056469a0b95c4e1424f6f4746bd3d563f0d4c86e1ad2c1609
                                          • Opcode Fuzzy Hash: 77953395113ad804d59dd74497b4c80b97c64a36f5c57e8a420fe97fe0ff473b
                                          • Instruction Fuzzy Hash: 2911A3B1904604AFEB109F69DC85BAABBACDF45320F14C46AED49DB242D674A444CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120A666
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: aa0cc80d68d772f87d03381057819692fffb634211a8bdb7bfdc591652338a49
                                          • Instruction ID: 6ad7ceeb71de71452f0e376e34bc92a3083ea5a3ec7729dd6612bd1d6b4746ca
                                          • Opcode Fuzzy Hash: aa0cc80d68d772f87d03381057819692fffb634211a8bdb7bfdc591652338a49
                                          • Instruction Fuzzy Hash: 12118471409780AFDB238F55DC44A62FFF8EF4A210F0885DAED858B153D275A418DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077309FE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 07730A5D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: 3ea31204b018862eb859acdbf7852d865c038b21b44dfb38ee8b8235f2b78037
                                          • Instruction ID: 6e558ac7a7ea836b9ac739a5826ef97464909348b2e6d7a7979500319d31034b
                                          • Opcode Fuzzy Hash: 3ea31204b018862eb859acdbf7852d865c038b21b44dfb38ee8b8235f2b78037
                                          • Instruction Fuzzy Hash: B0110AB1504204AFEB21CF95EC84F9AFFA8EF44710F14C86AEE559B142C774A404CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077315E7, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0773164C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: f86e37a8dcd5773b2528c988a80486c2d2bea2a5ea5cbcef3dd36f35799033b9
                                          • Instruction ID: cc1e69e127e729a3b83fd2774a0902376f321029e1fedd7c2b78251b8ee3586f
                                          • Opcode Fuzzy Hash: f86e37a8dcd5773b2528c988a80486c2d2bea2a5ea5cbcef3dd36f35799033b9
                                          • Instruction Fuzzy Hash: 9A11EF76409784AFDB228F25DC40A52FFB4EF16220F0CC4DEED858B663C275A458DB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077321B7, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 07732221
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 706016d6c8a3c9321a33a0e2c67909cb67e7bf3af80bcd7e75c29d17c1c3dbcb
                                          • Instruction ID: 8b1d286752745554e6b2e6a179fc9d1826c81ed4542b1ad910466146761d6fa2
                                          • Opcode Fuzzy Hash: 706016d6c8a3c9321a33a0e2c67909cb67e7bf3af80bcd7e75c29d17c1c3dbcb
                                          • Instruction Fuzzy Hash: A0119D72409384AFDB228F25DC45B62FFB4EF56224F08C49EED858B663D265A418CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731540, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetThreadContext.KERNELBASE(?,?), ref: 0773159F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 9914851fca1d5e036225d3f2da752b22b2139507782a7e9b4bde5da2fb7f25aa
                                          • Instruction ID: fd969c1e3aa2eeee97e753baa5afdf112ce8fe06e312845644409dd34394560e
                                          • Opcode Fuzzy Hash: 9914851fca1d5e036225d3f2da752b22b2139507782a7e9b4bde5da2fb7f25aa
                                          • Instruction Fuzzy Hash: 0011C1716047849FD711CF19CC84B56FFF8EF06220F0984AAED868B262D274E808CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0773086E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileType.KERNELBASE(?,00000E2C,15C2A938,00000000,00000000,00000000,00000000), ref: 077308C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: FileType
                                          • String ID:
                                          • API String ID: 3081899298-0
                                          • Opcode ID: 854a6d5a04f84122f7f511158980ce035f1ef9fbadcbebd9e2a8d758a2fa3f79
                                          • Instruction ID: 4ae13a53564542d0e2b6221c6113c6b1f144dd257e32eee38a6c4182083eaaf4
                                          • Opcode Fuzzy Hash: 854a6d5a04f84122f7f511158980ce035f1ef9fbadcbebd9e2a8d758a2fa3f79
                                          • Instruction Fuzzy Hash: A601F9B1500304AFE710DF19DC85BAAFBACDF44720F14C466EE449B242D774A404CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120BF42, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0120BF93
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: e98c801c1828b2110324e4494cfe9ce1c6b861f7525e1fe712cba31c3eeb8de6
                                          • Instruction ID: ce827fb2d5ecf1514d35528208277f9affe3b9712d174eac94072c69b779e28e
                                          • Opcode Fuzzy Hash: e98c801c1828b2110324e4494cfe9ce1c6b861f7525e1fe712cba31c3eeb8de6
                                          • Instruction Fuzzy Hash: 5D115E755102059FEB21CF69D849B66FBE8EF04210F0885AAEE498B693D371E404CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120AEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0120AF50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 76800db360859d62bbb872a722ac3756fb1abd0f3db1fa1712d0bca6a2051700
                                          • Instruction ID: 89da24239b857a64a70cbde025272535c7d51159509fd38467502064367f7da8
                                          • Opcode Fuzzy Hash: 76800db360859d62bbb872a722ac3756fb1abd0f3db1fa1712d0bca6a2051700
                                          • Instruction Fuzzy Hash: 2A119E72409784AFDB228F15DC44A56FFF4EF09220F09859EEE854B262C375A418CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077319BE, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32EnumProcesses.KERNEL32(?,?,?,15C2A938,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 077319FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: EnumProcesses
                                          • String ID:
                                          • API String ID: 84517404-0
                                          • Opcode ID: 0663c6d5ab4c03c053347e0d196a61515a3a6c59322a3b94434da2bc90140eb7
                                          • Instruction ID: 7a3438fb54b01ef206b6b4d6b50c0928d3e11862e03b5377622589a2ea330267
                                          • Opcode Fuzzy Hash: 0663c6d5ab4c03c053347e0d196a61515a3a6c59322a3b94434da2bc90140eb7
                                          • Instruction Fuzzy Hash: 2811C0B15006459FDB10CF69D884BA6FBE8EF04321F08C8BADD59CB252D270E404CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120A42A, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 0120A480
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 825560ebd376f93629af4fb91c88466135bd5242855f44b3299d02e1be115735
                                          • Instruction ID: a9510cdf213b17fcd47bb9bebdb4f5de65c180ff9cc3ba7d09237327154610b2
                                          • Opcode Fuzzy Hash: 825560ebd376f93629af4fb91c88466135bd5242855f44b3299d02e1be115735
                                          • Instruction Fuzzy Hash: E601C475409384AFD7128F15DC44B62FFB8DF46220F08C0DAED854B253D275A808DB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: 38e4d65b366b45774627c3043eac48006077d98ef8d748e9232327ceecc93139
                                          • Instruction ID: 878079fc1fabad33dc8c0550720e1b1a296db6cf166c2d37b6a36bcde79698c5
                                          • Opcode Fuzzy Hash: 38e4d65b366b45774627c3043eac48006077d98ef8d748e9232327ceecc93139
                                          • Instruction Fuzzy Hash: DB117C31409784AFD7228F15DC85A52FFB4EF16220F09C59AED858B263D275A818CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731C56, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07731C9C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 2b08bcbfaea4391ee6d44abd6ce05b336a744df6150cba979e962212180783ef
                                          • Instruction ID: 271283bf15b38a851b3ad79b3ef6d17b03f324f6e90bc6a8a1d9a845185ed113
                                          • Opcode Fuzzy Hash: 2b08bcbfaea4391ee6d44abd6ce05b336a744df6150cba979e962212180783ef
                                          • Instruction Fuzzy Hash: A20180B55107059FDB20CF19D884B66FBE4EF04320F08C8AAED498B652D271E458DB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731412, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNELBASE(?), ref: 0773144C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 49c5253fa7834d1a732a5ad9502a1975621d75f9c73bdce2f64a220bdadbfa4e
                                          • Instruction ID: c57464852fb09bcc2ac2e4147927f569cf55c4d8db1994d8f1054f554c69fe68
                                          • Opcode Fuzzy Hash: 49c5253fa7834d1a732a5ad9502a1975621d75f9c73bdce2f64a220bdadbfa4e
                                          • Instruction Fuzzy Hash: 9C01B1B1A006058FEB10CF29D8857A6FBE8DF00220F48C4AADC49CF642E675E404CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0120B4A9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoadShim
                                          • String ID:
                                          • API String ID: 1475914169-0
                                          • Opcode ID: 54eca6dc8bd36e460db1eeb4c0ab559e8e1baa26d201ece51d0e3f3b0b7a12f0
                                          • Instruction ID: cc5ca2f0ee4b4d92e213ce8176685f5ab34d2197252c37413a48446f598a3419
                                          • Opcode Fuzzy Hash: 54eca6dc8bd36e460db1eeb4c0ab559e8e1baa26d201ece51d0e3f3b0b7a12f0
                                          • Instruction Fuzzy Hash: D30192795102019FEB31DF19DC45B66FFE8EF14620F08C599EE498B682D274E504CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120A666
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 0194c8647279a6f3f6a2903e29ff93f1b9778a61e97f2d25dcefd4ee6bd4244b
                                          • Instruction ID: 2b0dd4e79be23912cc662197cdab42f2930e6dd92a616f02a705801e63ffefc3
                                          • Opcode Fuzzy Hash: 0194c8647279a6f3f6a2903e29ff93f1b9778a61e97f2d25dcefd4ee6bd4244b
                                          • Instruction Fuzzy Hash: 98016D318107009FDB228F59DC44B56FFF4EF48320F08C9AAEE498B652D275A414CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731562, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetThreadContext.KERNELBASE(?,?), ref: 0773159F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 0ebea8eecac6fcc82853fc4495e70eafb5355b36fcad45728867b6dcb6fa3421
                                          • Instruction ID: c370fb0cbb6666f661f82da423e1d5e80568afc8fb05fb042a25578dcf2ec15e
                                          • Opcode Fuzzy Hash: 0ebea8eecac6fcc82853fc4495e70eafb5355b36fcad45728867b6dcb6fa3421
                                          • Instruction Fuzzy Hash: 6C0171B56106458FDB10CF19D884B65FBE8EF05260F48C4ABDD568B652D274E444CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0773160E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0773164C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: da0dbda7cef62ca91a904ca0c43312cd285455554f0210a1b2bcd2f26511c34c
                                          • Instruction ID: 33b7d823c4f322ca5d394182544c1756a4a433f7cfcf65aaf48d168f4eade89e
                                          • Opcode Fuzzy Hash: da0dbda7cef62ca91a904ca0c43312cd285455554f0210a1b2bcd2f26511c34c
                                          • Instruction Fuzzy Hash: 41019E71500604DFDB208F55DC84B66FFA4EF04320F08C4AEED454A662C671A418DF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0120A346
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: ConsoleCtrlHandler
                                          • String ID:
                                          • API String ID: 1513847179-0
                                          • Opcode ID: c59f78f76dc191e74457c420f84bd079d472ab55fa32139e2996bcfd6c918a1a
                                          • Instruction ID: 54212285e817decf2cdf496546ef46c6fb3dc26bf6c6eae899eedf82dcfcf400
                                          • Opcode Fuzzy Hash: c59f78f76dc191e74457c420f84bd079d472ab55fa32139e2996bcfd6c918a1a
                                          • Instruction Fuzzy Hash: 67016D72900600ABD610DF1ADC86B26FBE8FB88B20F14815AED085B745E675F915CBE6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 077321E6, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 07732221
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 4e92addd59b02124b87267a5991da005d34e34d86d74a27a767cff038d538f00
                                          • Instruction ID: 83b45f2671a94c8a33998c72978fcdec5e2d4a26c780eb7c82dc2b06af0dd599
                                          • Opcode Fuzzy Hash: 4e92addd59b02124b87267a5991da005d34e34d86d74a27a767cff038d538f00
                                          • Instruction Fuzzy Hash: E901BCB15102009FDB208F19DC84B66FFA4FF44320F08C4AAED498B662C275A418CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120AF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0120AF50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: f10bf2bf852c821a6af9a3db9b3d84006cf32e08eb0ec5239a88691f3f242d4b
                                          • Instruction ID: dc7889e235b4b58216c90932a747030345d0ed814b232be67073388cf3603397
                                          • Opcode Fuzzy Hash: f10bf2bf852c821a6af9a3db9b3d84006cf32e08eb0ec5239a88691f3f242d4b
                                          • Instruction Fuzzy Hash: 2D0171714107009FDB218F55D845B55FFA0EF08320F08C59EDE494B692D2B6A418CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07731E5E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 07731E99
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.256121254.0000000007730000.00000040.00000001.sdmp, Offset: 07730000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 5e3181faaa27de52c7069bb9ec934c4f7739d81840e2c0e9e19ac987ee5923a3
                                          • Instruction ID: 8612a0311f358ce0dd3d8e5d8c9262a1ab23aeb90c7c15b9f8c77656f9f80d20
                                          • Opcode Fuzzy Hash: 5e3181faaa27de52c7069bb9ec934c4f7739d81840e2c0e9e19ac987ee5923a3
                                          • Instruction Fuzzy Hash: 49018F755106049FDB208F15D844B65FFA0EF18321F08C59ADD594B256C276A418CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: e46f1db2f1f2812b09eec0fd264ad3a43a226b84032be4c951f644d4593a47a4
                                          • Instruction ID: 402102216c665181e7a8f4cf1dc74284dd2e8d207c3052c8be0a2abe2c338383
                                          • Opcode Fuzzy Hash: e46f1db2f1f2812b09eec0fd264ad3a43a226b84032be4c951f644d4593a47a4
                                          • Instruction Fuzzy Hash: CE01D131420B049FDB218F19D885B55FFA0EF14721F08C99ADE4A4B293D2B5A408CFB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0120A44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 0120A480
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251758840.000000000120A000.00000040.00000001.sdmp, Offset: 0120A000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 1cf176a0a1cb2594c68e517adc6574c47faf4fa0d3780eb9606671e5759ee27a
                                          • Instruction ID: 2b4d9e71c0cc5887664b3db18f4a8349ab5e9cad2feddd7bed850ae2c913a3cf
                                          • Opcode Fuzzy Hash: 1cf176a0a1cb2594c68e517adc6574c47faf4fa0d3780eb9606671e5759ee27a
                                          • Instruction Fuzzy Hash: F6F0A4794243449FDB118F19D889765FFA4DF44321F48C1AADD494B297D2B5A408CEA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E1587, Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: }
                                          • API String ID: 0-4239843852
                                          • Opcode ID: 4777e2936b42855b7d38a40c60e9966c9f4203162237300c01007c11ff8ea3e0
                                          • Instruction ID: bd7c835e40c2c2078ee2a1c6e2d82587cfa2e99225c4c76acf99ee37e6c995e8
                                          • Opcode Fuzzy Hash: 4777e2936b42855b7d38a40c60e9966c9f4203162237300c01007c11ff8ea3e0
                                          • Instruction Fuzzy Hash: B8511770D4E24CEFDB20CF95E4886EDBBB8BB2B318F146219D116A62A6D7744949CF04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1AA0, Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: r
                                          • API String ID: 0-1812594589
                                          • Opcode ID: 0c4305d9882a53242a75f745ce2958182108c55b53f892b34253d96871b66b22
                                          • Instruction ID: 5106416843539f91b7d91397c75b577620648a3247ddb049a31d38ff9ad2ef97
                                          • Opcode Fuzzy Hash: 0c4305d9882a53242a75f745ce2958182108c55b53f892b34253d96871b66b22
                                          • Instruction Fuzzy Hash: 5D6125B4A00109DFC718DFA8C5988AEFBB2FF48301B658694D415AB359DB34EE85CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E0DEF, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: s
                                          • API String ID: 0-453955339
                                          • Opcode ID: b4843130537552a2b4d5f0b11251d9d8604af72adcabbb2a0c2429726af32c7c
                                          • Instruction ID: a4fa2e36f157babc4317792ae5052986987911c40a2342a642640f1192eedf55
                                          • Opcode Fuzzy Hash: b4843130537552a2b4d5f0b11251d9d8604af72adcabbb2a0c2429726af32c7c
                                          • Instruction Fuzzy Hash: 5E31FE70D8D10DEBDB60CFA8D0446FDBBB8EB0B318F109A55D42AEB291C3B466059F55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1A90, Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: r
                                          • API String ID: 0-1812594589
                                          • Opcode ID: a204370eacaddb9515b8577935710617da1d64681be4fa6fe7f3694b2b348834
                                          • Instruction ID: e103577f05c6ebe8388a208f65569b1ff16c5156fdcad3189af25daccd4800d0
                                          • Opcode Fuzzy Hash: a204370eacaddb9515b8577935710617da1d64681be4fa6fe7f3694b2b348834
                                          • Instruction Fuzzy Hash: A93128B0905215DFCB18CFAAD5588AEBBF2FF8A305F1484A9D449AB325DB31DA41DF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA78F8, Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: |
                                          • API String ID: 0-2343686810
                                          • Opcode ID: 6bae01551b8f1f1b63a9fa8fda98ccb5002406af74d58160fdc5fec413294e0d
                                          • Instruction ID: 98158e9a22665b94fbaed54f73e537869f179f6e7687a578890571bef97f7779
                                          • Opcode Fuzzy Hash: 6bae01551b8f1f1b63a9fa8fda98ccb5002406af74d58160fdc5fec413294e0d
                                          • Instruction Fuzzy Hash: 471102B4D09249DBEB40CFA9C495AADFBB6FB8A300F10A46AC586AB351D7744A45CB01
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA7908, Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: |
                                          • API String ID: 0-2343686810
                                          • Opcode ID: bda052c9269b4ff95418ad80a744a653df9eca65c31152f5ce02cd2bbb6dcde0
                                          • Instruction ID: 7d6e30ee54c5234201f48d54f3399cee29b3ba5697850c3f2fd7383b53386b61
                                          • Opcode Fuzzy Hash: bda052c9269b4ff95418ad80a744a653df9eca65c31152f5ce02cd2bbb6dcde0
                                          • Instruction Fuzzy Hash: 7A1115B4D09209DFEB44DFAAD454AAEFBBAFF89300F10A42AC44AA7350D7745A44CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA9953, Relevance: .3, Instructions: 278COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e425a474f1a6f86337f66b840b99488fa75c0db833d7ea376e731a65fe62ec0f
                                          • Instruction ID: 32247f9d95f66986f63609ee39ddd2c66c2fd47965deac1810b322f0ae139fc0
                                          • Opcode Fuzzy Hash: e425a474f1a6f86337f66b840b99488fa75c0db833d7ea376e731a65fe62ec0f
                                          • Instruction Fuzzy Hash: 71C1F2B0801209CFDB00DF98C198A9DBBB6FB04319F559294E595AF352C3B9EC85CF69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA99A5, Relevance: .3, Instructions: 272COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0607a433d16ddc49bb0c7e57c724bfac3094f397491b57d48ab07847e31e248c
                                          • Instruction ID: fb12a1a9d38aed4429a5c2f83ef98769ff547a76a06e93e28dde379993441a8e
                                          • Opcode Fuzzy Hash: 0607a433d16ddc49bb0c7e57c724bfac3094f397491b57d48ab07847e31e248c
                                          • Instruction Fuzzy Hash: 1BC102B0801245CFDB00DF98C198A9DBBB6FB04318F659294E595AF352C3B9E885CF69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA99D4, Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acaea5d9848390d30c6c7440a304a9c3e7febe8c568be7fb0e21635ecfb09355
                                          • Instruction ID: 27dfb834ace7bfe6bb7ee25e5802e0eca9f349a067264fd19b8ac704edeccf03
                                          • Opcode Fuzzy Hash: acaea5d9848390d30c6c7440a304a9c3e7febe8c568be7fb0e21635ecfb09355
                                          • Instruction Fuzzy Hash: 2CC1F4B0801209CFDB00DF98C198A9DBBB6FB04319F659294E595AF352C3B9EC85CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6EE9, Relevance: .2, Instructions: 230COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4dd9532c446137e32fc64b94e171a6e981f3b6cadc35650e0a581ba067b50ce4
                                          • Instruction ID: cdb73cf385930993ca805da1d1b89b2f02157c20755695a094beef8a8b58a0d6
                                          • Opcode Fuzzy Hash: 4dd9532c446137e32fc64b94e171a6e981f3b6cadc35650e0a581ba067b50ce4
                                          • Instruction Fuzzy Hash: 40A13270D01229CFDF14CFA4C854BAEFBB2BF49304F1491A9D049AB291DB709A86CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAAB26, Relevance: .2, Instructions: 218COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f90212c163b7480be8509ffb602982462eb30732f78d7e3ae4e0759ed7c4ef58
                                          • Instruction ID: 536de1e5d28b677f0e599d86d97b029975bc62144bd1c9eea83ebd2dee7910dd
                                          • Opcode Fuzzy Hash: f90212c163b7480be8509ffb602982462eb30732f78d7e3ae4e0759ed7c4ef58
                                          • Instruction Fuzzy Hash: A291BF74D09209CFDB00CF98C590AEEBBF5FB49304F249219E849AB345D774AD86CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAB672, Relevance: .2, Instructions: 173COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f209e201686d2b73b1debb83f68f4080162bc33a47f3f33c3654a2c1e9c776f
                                          • Instruction ID: 006b6d18c1776d5be809d3076722736df511740f8bc210ad3bd84f8c4560ad04
                                          • Opcode Fuzzy Hash: 9f209e201686d2b73b1debb83f68f4080162bc33a47f3f33c3654a2c1e9c776f
                                          • Instruction Fuzzy Hash: 9361AA78A09208DFCB04CFA8D5A0DADBBB6FB59304F109566E846AB311D774ED42CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAB870, Relevance: .2, Instructions: 168COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b75614024e30bf1af80cfc414ad546e04830e3f0e16ce693dbaa721e9faafa4d
                                          • Instruction ID: 6d7ee67841975ab2d1e07c64a83215308bedb3ef3b325ccc351e7020ed30647c
                                          • Opcode Fuzzy Hash: b75614024e30bf1af80cfc414ad546e04830e3f0e16ce693dbaa721e9faafa4d
                                          • Instruction Fuzzy Hash: B8619C78E09208DFCB04CFA9D5909ADBBF6FB59314F109166E85AA7315D730AE42CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAEB75, Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a043bd17dfab9be21202293ee0f9eb69992131e70ae27831967d176893c3d02
                                          • Instruction ID: 6c37bc8097c2b5dd60308a6b14c01a215144b99c5dfd493d0f1093d24578773b
                                          • Opcode Fuzzy Hash: 0a043bd17dfab9be21202293ee0f9eb69992131e70ae27831967d176893c3d02
                                          • Instruction Fuzzy Hash: 20519030A006459FCB15DB78C8A4AAEBBF2BF85320F2442A9E511EB3E1CB355C45CB56
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA9172, Relevance: .2, Instructions: 151COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a1e1e4bd00d9969a52da16fb439a8ffa75bbeb768a512967ea218fc426c1f67
                                          • Instruction ID: 207986786cc6900578b5b1342c21cd5936d8c45353a30b87cdb3d6536fb6f0a9
                                          • Opcode Fuzzy Hash: 3a1e1e4bd00d9969a52da16fb439a8ffa75bbeb768a512967ea218fc426c1f67
                                          • Instruction Fuzzy Hash: D551F474D09208EFDF04CFA9C4A4BEDBBB5AB4A304F50A159E489A7395C3748E85CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAEBB0, Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba8383a8abf12d15ec58d76237cd42158d5d1f2feb8e283d7eeead6b2ba427ea
                                          • Instruction ID: acf8130549a6fddb60a195906055d73895e264fcba6b231fade9f68f32c25191
                                          • Opcode Fuzzy Hash: ba8383a8abf12d15ec58d76237cd42158d5d1f2feb8e283d7eeead6b2ba427ea
                                          • Instruction Fuzzy Hash: 20514E34A406159FCB14DB79C854BAEBBF2BF84714F244269E516AB3A0CB35AC40CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAA8CA, Relevance: .1, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e2c7850c1a6a176de8ddb67b3bfa9b7f612db14a83b31f8caf0fb6f5c963ff79
                                          • Instruction ID: 68061ce5f5064eb11dd51a6b6f27034e99fa0d4ce98d75982cca12ae12676860
                                          • Opcode Fuzzy Hash: e2c7850c1a6a176de8ddb67b3bfa9b7f612db14a83b31f8caf0fb6f5c963ff79
                                          • Instruction Fuzzy Hash: 0C41F274D49219DBCB00CFA8C490AEDFBB6FF49304F529655E89AAB301C374AD46CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA7732, Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 553b2bedd18f708e1ff5b2f92cc42baa24b00918e0ed836f8e2258a958f410cf
                                          • Instruction ID: 6587be516bbafb9bb20e3bf9eeef960f66de5a27d3c821fdc47bf6415b80359b
                                          • Opcode Fuzzy Hash: 553b2bedd18f708e1ff5b2f92cc42baa24b00918e0ed836f8e2258a958f410cf
                                          • Instruction Fuzzy Hash: A041D674E01208DBEB18DFA9D894AAEFBB2FF89300F208069D405BB354DB719D46CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0818, Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51369d124f7d5ae8ad8d519e4af40d55596f2206eb2afd20fa7a5dc19b953b06
                                          • Instruction ID: 69321b499d5cf70764737be6d8ba17b4519805ec725a6fb4be84584fd6dd9a1b
                                          • Opcode Fuzzy Hash: 51369d124f7d5ae8ad8d519e4af40d55596f2206eb2afd20fa7a5dc19b953b06
                                          • Instruction Fuzzy Hash: 3B517B74E01219DFDB08DFA9D994AAEBBB2FF88300F20816AE815B7354DB315A41CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6B90, Relevance: .1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9bba3cd05c6b87553d74efcc8876a13f8883369c0d97dad3b4e8f7bfd783a92d
                                          • Instruction ID: 1c2f6ee945054e21a24ebd47aeeed04bba611469d19397e4b17eaa7be60eea40
                                          • Opcode Fuzzy Hash: 9bba3cd05c6b87553d74efcc8876a13f8883369c0d97dad3b4e8f7bfd783a92d
                                          • Instruction Fuzzy Hash: 45419DB4E01208DFDF14DFA9D598AAEBBF6FB49300F14902AD815A7394DB349981CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6B80, Relevance: .1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66d8cdab9771753202056864b554889dc8933637fb12bec6271f9d782d9219b5
                                          • Instruction ID: a84945d659c1976989193f8a1a49e9b2d046ce227bd1caaa93fe550e166a5efd
                                          • Opcode Fuzzy Hash: 66d8cdab9771753202056864b554889dc8933637fb12bec6271f9d782d9219b5
                                          • Instruction Fuzzy Hash: 2B419EB4E01208DFDB14DFA9D598AADBBF6FB49300F14802AD815A7394EB359981CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0808, Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a30822e4d38664072b1c93c38494ae47419ed4f3cd59dc126fe208a8fd65233
                                          • Instruction ID: 5b3d1d7f566c9e99277ade72d19c01358de3037ae5ea5f70161abbc85175df07
                                          • Opcode Fuzzy Hash: 9a30822e4d38664072b1c93c38494ae47419ed4f3cd59dc126fe208a8fd65233
                                          • Instruction Fuzzy Hash: 6741AE74E01208DFDB09DFA9D854AAEBBB2FF89301F20816AE805B73A4DB715945CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA91BC, Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0fa34824c7ed92865df5eeda4642ba97c2b18363d039ae64783a3424c413a130
                                          • Instruction ID: 409b13a88841012f5162741144f581428e2ec8b3b3cc88da0a56575e01349494
                                          • Opcode Fuzzy Hash: 0fa34824c7ed92865df5eeda4642ba97c2b18363d039ae64783a3424c413a130
                                          • Instruction Fuzzy Hash: AD41E474D09248EFCF01CFA8C5A4BDCBBB5AF4A304F54919AE485AB392C7749D85CB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAC040, Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 62e4372eb2ea17e9bff22c3a9cbbfb51680ecdaad25d6210c2bcc59971583d27
                                          • Instruction ID: 3da82d7cfb31ed6ba9679b2dff62702069ced1e0e59cfd932b22ad52e26c80f8
                                          • Opcode Fuzzy Hash: 62e4372eb2ea17e9bff22c3a9cbbfb51680ecdaad25d6210c2bcc59971583d27
                                          • Instruction Fuzzy Hash: A841D474E04209DFCB18DFA9D990AAEBBB2FF89304F20816AD80577390DB359D42CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA7630, Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc075be99a57c8bdb7782e67adae2e85f53054dd996fd70f145029c04bcd6843
                                          • Instruction ID: 7c23718d1a83ab5c2ca3c89e1a1af0a4673f96d023d67f3ff98f7bac88100258
                                          • Opcode Fuzzy Hash: cc075be99a57c8bdb7782e67adae2e85f53054dd996fd70f145029c04bcd6843
                                          • Instruction Fuzzy Hash: E5213570B04259CFDB01EBBCC864B6EBBB6BF95600F2444AAD405AB395DF308D05C3A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAB860, Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dab4de1af34f3d60558efe2da7961c9d4a8e2f25fcc2969edd408d898da04d3d
                                          • Instruction ID: ee70241bb26cf158638eeaabbc98b622126598a787bd5c0c1d064ff11911abb2
                                          • Opcode Fuzzy Hash: dab4de1af34f3d60558efe2da7961c9d4a8e2f25fcc2969edd408d898da04d3d
                                          • Instruction Fuzzy Hash: B531BD74E09219DFCB04CFA9D9909AEBBF2BB59304F10956AD859A7311D7709E02CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0E20, Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 69d07f0a32882bcd5d847e5e4ad2988d54b27e79b3b06b2a482e7c832e65c7fa
                                          • Instruction ID: bab79b192737c399aec59db40da6e5c9432f3e8e274fd6c0235e90f98a19703e
                                          • Opcode Fuzzy Hash: 69d07f0a32882bcd5d847e5e4ad2988d54b27e79b3b06b2a482e7c832e65c7fa
                                          • Instruction Fuzzy Hash: B5311871E002198FDB08CFAAD454AAEFBF2FF88301F14C06AE459A7355DB744A41CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1081, Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 762f1d4f258c5dc62b332f7928fc957c26614127b20d49162d06ed4a7b2908ec
                                          • Instruction ID: b814abb1be4907d51bce2e05206cd335dc6af68ae2d8bf16f53b99840404e9d2
                                          • Opcode Fuzzy Hash: 762f1d4f258c5dc62b332f7928fc957c26614127b20d49162d06ed4a7b2908ec
                                          • Instruction Fuzzy Hash: 4F31E3B4A00219DFCB04DF99C8959AEFBB2FF48310F248595E419AB355D730EA41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAB096, Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc7fc7a9033eccef1f19d9688ab01d562d0d96f13ee766c1718362762be575a4
                                          • Instruction ID: 3e3c24b74fda9dda2003f36d887578321026f59f06f68e7260529862fbd791c3
                                          • Opcode Fuzzy Hash: fc7fc7a9033eccef1f19d9688ab01d562d0d96f13ee766c1718362762be575a4
                                          • Instruction Fuzzy Hash: 70316E78E05209CFCB04CF95D0A49AEBBB9FB5A314F109156E859AB361D730ED42CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6551, Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d67454096bb0ca9157609f498324c7ed409ff6af6e63059fcb9c9e17c1f7c44
                                          • Instruction ID: b49e6a4d8c4744ed7637d23ec1a58ebaff43acfa869b69a9026cc12855b473cb
                                          • Opcode Fuzzy Hash: 6d67454096bb0ca9157609f498324c7ed409ff6af6e63059fcb9c9e17c1f7c44
                                          • Instruction Fuzzy Hash: 75316FB5D01209DFCB14DFA9D5889ADBBB2FF99300F2481A9D805A7354DB349A41CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6560, Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b6a3e28950c6c03658f84960aba847c13b990796c0897d73cbf3f2b8091f948
                                          • Instruction ID: f4c1d6e994ee9895021df52299aaa7d29b70e59b35f9f9fd653f00297e6be606
                                          • Opcode Fuzzy Hash: 0b6a3e28950c6c03658f84960aba847c13b990796c0897d73cbf3f2b8091f948
                                          • Instruction Fuzzy Hash: 84313EB4D01209DFCB14DFA9E5889ADBBB2FF98305F248169D805A7354DB349A41CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA7F24, Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5707d00f613ce4da6696610759f405785b6086e27dfe26ab2cd2758fafae5d03
                                          • Instruction ID: 0ab94e65468c28c7c6d1a2fbdcc267fd443074bb70d379649e365598d951b572
                                          • Opcode Fuzzy Hash: 5707d00f613ce4da6696610759f405785b6086e27dfe26ab2cd2758fafae5d03
                                          • Instruction Fuzzy Hash: 10216974E00209CFCB04EFA8D4849ADBBB2FF89204F1485A9D505EB351DB745E01CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02BF0773, Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251927089.0000000002BF0000.00000040.00000040.sdmp, Offset: 02BF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93799bf853e9be4fd4ca74e02e33e2fb841b4b248710ec2a4f64278447b4e508
                                          • Instruction ID: 67dce7e3489badd6d20f4febfad9755eac521e1f5373327ab630c588972816c0
                                          • Opcode Fuzzy Hash: 93799bf853e9be4fd4ca74e02e33e2fb841b4b248710ec2a4f64278447b4e508
                                          • Instruction Fuzzy Hash: A4217C315093C18FC703CB20C890B20BFB1EF57214F298ADAD5888B6A3C33A981ACB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02BF07AC, Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251927089.0000000002BF0000.00000040.00000040.sdmp, Offset: 02BF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b42db07ec1455dc982854a442677f7b5d0b03d280abb1a5c4348b8a4811087f
                                          • Instruction ID: 99491d832d3f788b1b9e672fed2d43c1f070e72be277837bf50690e8fd411e67
                                          • Opcode Fuzzy Hash: 6b42db07ec1455dc982854a442677f7b5d0b03d280abb1a5c4348b8a4811087f
                                          • Instruction Fuzzy Hash: C811E430204245DFD755DB14D840B26BBA5EB88708F24C9ECEA491B667C77BE807CA91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6D9F, Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5fbf63eb16c7a2d362c873fe54a339866d837731f0bcbfeb7b5108be3830dcde
                                          • Instruction ID: 372f7332c847c7d5eb3e1b7e3235fb7db79ffd077f9c1446a6cf32deac2ed07f
                                          • Opcode Fuzzy Hash: 5fbf63eb16c7a2d362c873fe54a339866d837731f0bcbfeb7b5108be3830dcde
                                          • Instruction Fuzzy Hash: C821F3B4E04209CFCF05DFA9D8589AEBBB6FB88300F14816AD405A7350DB389A41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA7F40, Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 617eac9944a2b08f7b8afdea16ac77f1c91396b02ac2147dc2c575fb8cc24e37
                                          • Instruction ID: cb2a08b47f92b5595a453f94647d8adc89068efcbf5414ce2d076f3c9dbdd27d
                                          • Opcode Fuzzy Hash: 617eac9944a2b08f7b8afdea16ac77f1c91396b02ac2147dc2c575fb8cc24e37
                                          • Instruction Fuzzy Hash: 7C2103B4E01209DFCB44EFA8D4849AEBBB6FF89200F108669D506E7351DB74AE01CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA9010, Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca507c8048a9fd27f92e603b767e235aa4057f8af2ba876ce08b6c926544ccdf
                                          • Instruction ID: 613e9d6dffc75717b1243b5fbf88fc64cf512c9b3667f631494d56e9704de363
                                          • Opcode Fuzzy Hash: ca507c8048a9fd27f92e603b767e235aa4057f8af2ba876ce08b6c926544ccdf
                                          • Instruction Fuzzy Hash: DC117974E0520ACFCB00DFA8C5959AEBFB1FB4A310F204399D891A7381C7309E41CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0007, Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9438721d492bf99f36d284d99c1f6592d7bae638cdee03ea9e66969c5a8ef7c2
                                          • Instruction ID: 35ed6e8eca92c6b06f523a5615e53e80565f4f937d767cf4dfc242cca25dec53
                                          • Opcode Fuzzy Hash: 9438721d492bf99f36d284d99c1f6592d7bae638cdee03ea9e66969c5a8ef7c2
                                          • Instruction Fuzzy Hash: 1101167144E3C08FC3538B6458692947F71BF27229B1A42D7C4C4CF1EBDA280C4AC7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0F1F, Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 19870c8457431682885937afbb498849a8c5a88aef074782d043c8b4c9a68fd6
                                          • Instruction ID: c4b4e268228b4d3937aff561479caed0ffabf4aa27b1fc527c809919e69a7fb4
                                          • Opcode Fuzzy Hash: 19870c8457431682885937afbb498849a8c5a88aef074782d043c8b4c9a68fd6
                                          • Instruction Fuzzy Hash: 4611B4B4E002099FCB44CF99C180AAEBBF1FF88310F6180AAD804A7355D730AE41CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAA737, Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94624b0b787bf7a427e35f1b787a55ad98c3bd5cc8ab4f642ea7fc7b5cf51caf
                                          • Instruction ID: 87803f5b02ab2e016038cda53b5b6c2455ae736473215b3b7220e91f37758a72
                                          • Opcode Fuzzy Hash: 94624b0b787bf7a427e35f1b787a55ad98c3bd5cc8ab4f642ea7fc7b5cf51caf
                                          • Instruction Fuzzy Hash: 68116A74D0528ACFCB01EFA8D59859DBBB1FF46344F2486AAC445AB366DB704E40CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02BF05CF, Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251927089.0000000002BF0000.00000040.00000040.sdmp, Offset: 02BF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d073d86832b9d810f2492d80eae51f49d675861ead1f750b5c722318d414b20e
                                          • Instruction ID: d7ae472bd0da1831734d615c1c212e37c01a2ea3497531431f39ee30b7936939
                                          • Opcode Fuzzy Hash: d073d86832b9d810f2492d80eae51f49d675861ead1f750b5c722318d414b20e
                                          • Instruction Fuzzy Hash: BB01DB7150D3C06FD7128F169C51862FFB8DF8662071DC4DFEC898B612D2256809CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0F30, Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 927485a3d1cfd992b8a50df0449af93ad013e55d8bdd72c86c989a22bf834c54
                                          • Instruction ID: 387aa8585a87d9d8190f30a06b1e58ee9b0644ddc5a5cb7ee1cea9457745e70a
                                          • Opcode Fuzzy Hash: 927485a3d1cfd992b8a50df0449af93ad013e55d8bdd72c86c989a22bf834c54
                                          • Instruction Fuzzy Hash: E21172B4A012099FCB44DF99C5809AEBBF2EF48311F608099D808A7755D770AE41CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0FB8, Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4dc92865404777c81cd4f66fc1abf183560e0616e0962aad9367a28fa67b822
                                          • Instruction ID: 90ef991a5b848482d906aac260d6dfc6c05a0a11c54e4f2d665672427bc7a4af
                                          • Opcode Fuzzy Hash: c4dc92865404777c81cd4f66fc1abf183560e0616e0962aad9367a28fa67b822
                                          • Instruction Fuzzy Hash: 1301C974E00208DFCB44DF99C54599EBBF1FF48310F2581A9D804AB356D370AA40CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1D78, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f15a2720d125d65d131bb4480e2ff5470909f0489ec78671b7fce0865ad3156
                                          • Instruction ID: eb4dd97472f7c91c2bbed0017cb25f15fd81a94cfaaaeccceeb52009dcdce610
                                          • Opcode Fuzzy Hash: 6f15a2720d125d65d131bb4480e2ff5470909f0489ec78671b7fce0865ad3156
                                          • Instruction Fuzzy Hash: 61016D38A04104EFCB05DBA8D598A9CBFF2EF49300F2581D9E408AB362C731DE01DB00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DAA760, Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5ea972c7a6abce0fe6c21547339452892cacce82dabb74d10a3fa9b88b1a3c0
                                          • Instruction ID: 6481e95b276cc26b6ebeda62659f1abf25cae4554db8d0b2755660addf6e362e
                                          • Opcode Fuzzy Hash: f5ea972c7a6abce0fe6c21547339452892cacce82dabb74d10a3fa9b88b1a3c0
                                          • Instruction Fuzzy Hash: C001D674D0124ADFCB04EFA8D6546ADFBB5FB44344F1082AAD815AB354DB705E41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA90C0, Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 01f7efb6fd1f21b31b7a4718c9eb934bc44d6573050d4ef02e20538d963c3e36
                                          • Instruction ID: 85175f6365eeda9f7e318fe8012fed8e785353d728bf06c725e4c0f26ac5bd2a
                                          • Opcode Fuzzy Hash: 01f7efb6fd1f21b31b7a4718c9eb934bc44d6573050d4ef02e20538d963c3e36
                                          • Instruction Fuzzy Hash: CEF0E774E01209DFCB04DFA8D595A9DBFB1FB89300F2082A9885467356D7719E41CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6678, Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68d769a743449ee9c8d2a46d4763ef26145ca60a644f4e4ecc33af4ee69f6634
                                          • Instruction ID: 780ed595bcc60dfe0b7d11963b854df1ba5cca1b3eeb8108cdad2ff6f7eb710e
                                          • Opcode Fuzzy Hash: 68d769a743449ee9c8d2a46d4763ef26145ca60a644f4e4ecc33af4ee69f6634
                                          • Instruction Fuzzy Hash: 2CF04F74D04248DFCF54DFA8E4886ADBBB2FB95301F2485EAD80467305DB305A11CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1D17, Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8665c2df5aa711a8bfdb5ccbac5608517daceaf6577e4a954c053c988055cf0
                                          • Instruction ID: 993d8b262ae8557b775b6b705250e4860231e4cceb7dc92c0ffd4937e745c39c
                                          • Opcode Fuzzy Hash: b8665c2df5aa711a8bfdb5ccbac5608517daceaf6577e4a954c053c988055cf0
                                          • Instruction Fuzzy Hash: 1401DC30908248DFC704DF69D85096DFFF2EF85300F2481E9D844AB221D7309E41DB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02BF0868, Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251927089.0000000002BF0000.00000040.00000040.sdmp, Offset: 02BF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                          • Instruction ID: 7a9c870cbd9c35062621e9a8c9470648d2d3a3571434b1110fa78e93e76142fc
                                          • Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                          • Instruction Fuzzy Hash: 9FF0FB35104645DFC616DB40D940B25FBA2EB89718F24CAADE9490B666C737A813DA81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1D88, Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b5ed8efe937405b372f44c4ed24909263f15d9e185c11fb891bcfb73c157e235
                                          • Instruction ID: 1315d93b6365d3120cd22229111bcf86f29ec98196fe46b7ee6d0abbed2f1d38
                                          • Opcode Fuzzy Hash: b5ed8efe937405b372f44c4ed24909263f15d9e185c11fb891bcfb73c157e235
                                          • Instruction Fuzzy Hash: 49F09778A00108EFCB04DBA9D689E5DBBF2EF48300F658195E9086B365DA71EE10DB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA3409, Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 69ad71d0d369202d2fe335c9f18a967da9c4d0ba53ee3dd0ceaa70d53d98ffa0
                                          • Instruction ID: eeebe32bc111b9d96a855f67bd73b0ca8f3cd246d0d7385912ed1b5e0f5ad9c0
                                          • Opcode Fuzzy Hash: 69ad71d0d369202d2fe335c9f18a967da9c4d0ba53ee3dd0ceaa70d53d98ffa0
                                          • Instruction Fuzzy Hash: B7F0EDB0990304CFC318EFB4E05E6BD7BB0EBAB302F5000AA940A63281DF380E00CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1178, Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be9fde77ee410b3408441b94fe282e6e4698cad82db43990c6b5431410aedfa4
                                          • Instruction ID: 1d9858fe91455fe2ec2ad2a2651ea75df563d9cec79f7cdc485d51bac4db2b9a
                                          • Opcode Fuzzy Hash: be9fde77ee410b3408441b94fe282e6e4698cad82db43990c6b5431410aedfa4
                                          • Instruction Fuzzy Hash: 35F0ECB8C062889FCB06DFA8D4946AE7FB1EB12300F2041EAC454A3382D2748E00CB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02BF05F6, Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251927089.0000000002BF0000.00000040.00000040.sdmp, Offset: 02BF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fbd622ba00ffbcd36c99291f970158e5c5e38abba59dd147a016a3fbff6fc78b
                                          • Instruction ID: 342deaa4e0636cd690a16398a442f6fc4302ea3c0afe1fa8f8f6b422c2038928
                                          • Opcode Fuzzy Hash: fbd622ba00ffbcd36c99291f970158e5c5e38abba59dd147a016a3fbff6fc78b
                                          • Instruction Fuzzy Hash: 64E092B66406005BD650DF0BEC81456F7E8EB84631718C47FDC0D8B701D175B504CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA90D0, Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e8f48e485efec36b334fef53ae6527f907a87d06aefe60431e05296b48fc73a2
                                          • Instruction ID: aac777ecf96a0c7dc63e1f88964d971684f11bbb03c32f1a765238cec6a4c73d
                                          • Opcode Fuzzy Hash: e8f48e485efec36b334fef53ae6527f907a87d06aefe60431e05296b48fc73a2
                                          • Instruction Fuzzy Hash: 67F0D474E0121DEFCB04EFA8D5859AEFBB5FF88300F20869A9844A7355D770AE41CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA34C8, Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6cf86aa594b617d487b128f5e75f376add460ca35cbd258687bb37604ab3d83
                                          • Instruction ID: f252f0c93760cd4d2f78d5954f2b2e10fa96a892813d2d32e1969c26030eb071
                                          • Opcode Fuzzy Hash: e6cf86aa594b617d487b128f5e75f376add460ca35cbd258687bb37604ab3d83
                                          • Instruction Fuzzy Hash: 19E022B0905208DFC704DF65C849ABDF3F1EF06600F1000E8D80463261DA346F00CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E11D6, Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4323e2b2e5f2795056519e59d8b36fadd45bd3e67cdddbae7b438cb7d0ff822
                                          • Instruction ID: 059857de9473281b52e61769df24e5bd66ce8669d004a544841f8b5dc89772d8
                                          • Opcode Fuzzy Hash: a4323e2b2e5f2795056519e59d8b36fadd45bd3e67cdddbae7b438cb7d0ff822
                                          • Instruction Fuzzy Hash: 3CE0E574D0C20DDB8F10CFA4A4994FEBBF8AB2F305F202665D446F7240D73159008B69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E2524, Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3ef088884222295321d204084019c4345295ebf06a3fed5f8aad8fb93a53526d
                                          • Instruction ID: 2e87a38ecc8aaf330a49649bd5696c1d4112dd216e5869155de95863f9cca7e9
                                          • Opcode Fuzzy Hash: 3ef088884222295321d204084019c4345295ebf06a3fed5f8aad8fb93a53526d
                                          • Instruction Fuzzy Hash: 41F0B2B4E4112ACBCB64DF28D840BEDB7B1EB85304F1080FAC019A7200EA359E81CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA3418, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 888b22554ffa1ce6e1212ab8597c036fa8cb3ceb79b350d37ad92a5c425fe842
                                          • Instruction ID: 11f0f379538d8219442495ddcfb3f15e99d0bf91d8d9a9c6b348cb0cbf5b0472
                                          • Opcode Fuzzy Hash: 888b22554ffa1ce6e1212ab8597c036fa8cb3ceb79b350d37ad92a5c425fe842
                                          • Instruction Fuzzy Hash: 6FE04F70541309DBC718FBB4F51D5AE7775EB97302F501468940A73244DF751E40C765
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1030, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 100702d61800ef912f76ec1bb67fd18ed9af7dd0a757a8cd90e458f25f4b73c5
                                          • Instruction ID: 7e9c69db96f4d9d6b77deaf12334aaa552c7fa0695fa227e8b66c59fbcfa1a13
                                          • Opcode Fuzzy Hash: 100702d61800ef912f76ec1bb67fd18ed9af7dd0a757a8cd90e458f25f4b73c5
                                          • Instruction Fuzzy Hash: 20F015B0D00308EFCB14CFA8D189A9DBBB2FB59311F2081A9EC4467305C775AA51DF84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6B38, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3eba7d1f4c2ee12503176154251194e757d2593c636b45184cb032ea4a544ffd
                                          • Instruction ID: b0a3672a866b3aadc4f0ca1f80a514cd11c7cb8bcc4d232be21cc06f2fa7f3db
                                          • Opcode Fuzzy Hash: 3eba7d1f4c2ee12503176154251194e757d2593c636b45184cb032ea4a544ffd
                                          • Instruction Fuzzy Hash: BCF039B0D01208EFCB08CFA8D08469DBFB6EB98301F2080BAD804A7391D7359A51CF84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA5097, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db2de1985765e4b411d24f2a0a644f410a479f61a104dac33149f1e1b0d64376
                                          • Instruction ID: 44cf010b2420fe744694c0339ffec7954885b497610c2d0eccf672066f59a86a
                                          • Opcode Fuzzy Hash: db2de1985765e4b411d24f2a0a644f410a479f61a104dac33149f1e1b0d64376
                                          • Instruction Fuzzy Hash: C2E0DF71841308EFCB04CF54E485F9ABBA9EF25301F914069E80013361DB36AE14DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E1138, Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6fedc47bd2c5d4ff48a078f301c5f69696233ac0d6912a5050f6418f48fb83a1
                                          • Instruction ID: 908487c96570294838a74cb151a6d1ece2c6b756984bb64f7e7b2305234be668
                                          • Opcode Fuzzy Hash: 6fedc47bd2c5d4ff48a078f301c5f69696233ac0d6912a5050f6418f48fb83a1
                                          • Instruction Fuzzy Hash: 40E08630D1A208EFC700EFA4D449AAD7B39EB46702F203164DC46A7341D7B12D40CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E1137, Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a74a28a033436a950fa00d6df35f437fd33d258ef636e7f90953a74de9e86d50
                                          • Instruction ID: 1fe2429170f50e0a0eccb41009d204ceb973ed77438fe80ab780b2e742b34a3a
                                          • Opcode Fuzzy Hash: a74a28a033436a950fa00d6df35f437fd33d258ef636e7f90953a74de9e86d50
                                          • Instruction Fuzzy Hash: C9E01A30D1A248EFCB10DFA4D489AAC7F36EB46746F2022A8D846A7341C7B11D44CB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA34D8, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33d412a6a2b799f469e86424532ab8b8deb9ede6a65fc40cbe8cff78c63b472f
                                          • Instruction ID: dc04ffd1aee0eb8b62e40bf183030e068b611966d5847a66b7d58a706efd5ed8
                                          • Opcode Fuzzy Hash: 33d412a6a2b799f469e86424532ab8b8deb9ede6a65fc40cbe8cff78c63b472f
                                          • Instruction Fuzzy Hash: 61E0EC70D41208DFCB18EFAAD545AADF7B6EF56600F6050A8980873350DA756F10DBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6869, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2400fdcbb84ff3cc1b93a40eae96f009b897212bfd91d2a5b3309c2b72b56354
                                          • Instruction ID: d435aba61d42f39e2aa1d76b51686c8afaa3289da364b078b1028833338ded35
                                          • Opcode Fuzzy Hash: 2400fdcbb84ff3cc1b93a40eae96f009b897212bfd91d2a5b3309c2b72b56354
                                          • Instruction Fuzzy Hash: 51F039B4D04208EFCB04DFA8D088A9CBFB0EB68310F1180AAE80067351C2359A50CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6958, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a1ace8eb87190aeb622a2ce3f04e530ac508ced897b2c102eb630fa0b9cc2fa
                                          • Instruction ID: 02c5eef96499570460259baf4be4e01e021faf7b593b98e02311e582b2334958
                                          • Opcode Fuzzy Hash: 0a1ace8eb87190aeb622a2ce3f04e530ac508ced897b2c102eb630fa0b9cc2fa
                                          • Instruction Fuzzy Hash: A0E0E5B5E00208EFCB08DFA8D189B9CBBF0FB69310F2181AAD804A3351D6355E04CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6918, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 640b69644232ba7d49a0e84cf4464124387ec055e518d140f45bb706ccaea095
                                          • Instruction ID: 96bdb760f37978778112816bbd1f92180e257c2e733f031c291387d627c19243
                                          • Opcode Fuzzy Hash: 640b69644232ba7d49a0e84cf4464124387ec055e518d140f45bb706ccaea095
                                          • Instruction Fuzzy Hash: DAE0DFB0C142C8DBCF58DBA8D1596AC7FB0EB26605F1000E9C85123341D2385E01C752
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA76F1, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 719fb3603284ae352c205ccd28d6c3db0fc537f0bdb530e1209b276dc9bb043a
                                          • Instruction ID: 5fb30a530891e3bf04d4756b67164ad0f3fdf2f405bc467f788e2433e1907c41
                                          • Opcode Fuzzy Hash: 719fb3603284ae352c205ccd28d6c3db0fc537f0bdb530e1209b276dc9bb043a
                                          • Instruction Fuzzy Hash: 65E08C30805208DBEB10EBB8E46DBAEBBB8EB85300F1408A5DC44733C0DFB21A40C794
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA60B0, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d110b9c64914b286e2895eb8908389caf7a34897becf74a7c2e6c8ad6370b1f4
                                          • Instruction ID: 6314185e57e4d5ce004da7cf4f35abc2a0c746fe739eb3f60f2b68e7ef1f7213
                                          • Opcode Fuzzy Hash: d110b9c64914b286e2895eb8908389caf7a34897becf74a7c2e6c8ad6370b1f4
                                          • Instruction Fuzzy Hash: 8FE09A70808204EFCB14DF78D0886ACBFB0FB16305F2041EAD844A33A1CB311D58CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1040, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14d4e248d8584076c81600882a6a90f43b42ef6611ca3e6a272cd8e847416161
                                          • Instruction ID: fb06023bfc1ae419bd849de91b25ab1216e8792d5193d7fd5aec4310d6715008
                                          • Opcode Fuzzy Hash: 14d4e248d8584076c81600882a6a90f43b42ef6611ca3e6a272cd8e847416161
                                          • Instruction Fuzzy Hash: 77E01A74D0020CEFCB14DFA8E14899DBBB2FB48311F2081A9EC4467300C731AA50DF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA1188, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7dace39ce35611aebf75165dffaaa0fc50f7d6424409813d29776714f8330eb7
                                          • Instruction ID: 7b61f50afe97fc4dac62401d01abfffc86c1c7b282ecda8e20e893ab163ba21d
                                          • Opcode Fuzzy Hash: 7dace39ce35611aebf75165dffaaa0fc50f7d6424409813d29776714f8330eb7
                                          • Instruction Fuzzy Hash: 79E08C74D0120DEBCB08EFA8D4447AEBBB5EB41300F2081E9D81467380DB74AE00CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6511, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f6a47eae227a365fa7ba544b0ddc12e47041936c50b36cb5cf288f4b613a3d75
                                          • Instruction ID: 4bd9fdeafdf6ef2496da598975f86c315092221923efce969dab0eba3b30b925
                                          • Opcode Fuzzy Hash: f6a47eae227a365fa7ba544b0ddc12e47041936c50b36cb5cf288f4b613a3d75
                                          • Instruction Fuzzy Hash: D5E0C2B0C4A3088BCB08DFB4E489A6D7F70EB37305F2101BDC40423381D6B54910C755
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA3491, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c741f0647af2328be4105ef8d28edcc8c7194390e3a130ba975663a41ea970fc
                                          • Instruction ID: ada81fce5997cf66b37a589b2bc55380a28cada40cd8d5b019101149e7eea189
                                          • Opcode Fuzzy Hash: c741f0647af2328be4105ef8d28edcc8c7194390e3a130ba975663a41ea970fc
                                          • Instruction Fuzzy Hash: 4ED05BF09113149BC7558E58904B77D77E4DB15601F2101A99C4422341D6B91D108B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6878, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf00f9c7983739c4e322f589e01465fafcdf66a3cc68fcd69c09828f5d1e3d38
                                          • Instruction ID: 268847a562a0b592ceff5adad8fd719ee89b6b47dd35c43f855d13e848b56cad
                                          • Opcode Fuzzy Hash: bf00f9c7983739c4e322f589e01465fafcdf66a3cc68fcd69c09828f5d1e3d38
                                          • Instruction Fuzzy Hash: D8E04678D00208EFCB08DFA8D08899CBBB8EB48300F2080AAEC0063350C731AE54DF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA69A2, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c0a69a9b9bab343c092b7f75cfe531ddce068b92738825886fbb05d3c27c92e7
                                          • Instruction ID: f94b04232af678e38f45112d3479f3dd3b1efab66c5b7a098be8c407f389620f
                                          • Opcode Fuzzy Hash: c0a69a9b9bab343c092b7f75cfe531ddce068b92738825886fbb05d3c27c92e7
                                          • Instruction Fuzzy Hash: 4EE04FB4900308EFCB54EF64D089B887BF4EB04305F1000E8EC0057391D7759E44C751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA6520, Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eaee0d69ca7ebf7942a48856f02e46b4e904645c8446bd380c234d148baba441
                                          • Instruction ID: 798541b706099a809804a23ee661c35a014617f149b29563ba75ccbcafdf326d
                                          • Opcode Fuzzy Hash: eaee0d69ca7ebf7942a48856f02e46b4e904645c8446bd380c234d148baba441
                                          • Instruction Fuzzy Hash: BED0A770C4910CD7C708EFF4F40457DBB74D702704F1000B8D40433344CA705960C6A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E1128, Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5a972120648585d518e229d9ba1950d1fdaa7095dfad7b79ac75c0f15ee39de
                                          • Instruction ID: 3c34f07ead4589ff7b463909eb5f5dcbbd83e59e4b5e0af1be702ff7c3f5bd27
                                          • Opcode Fuzzy Hash: f5a972120648585d518e229d9ba1950d1fdaa7095dfad7b79ac75c0f15ee39de
                                          • Instruction Fuzzy Hash: 55C08C2081E38ACEC3038F20A914021BF34DE07A01B163BC3E8ADEF123D2320840C71B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 012023F4, Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251754028.0000000001202000.00000040.00000001.sdmp, Offset: 01202000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 958217a527456474944f12586a70db4b836b26963b0a2717022352c38065313b
                                          • Instruction ID: ed3e14b3240e01771c67aa0c564b460bfd61ca0d67edb385b8d275d45a933814
                                          • Opcode Fuzzy Hash: 958217a527456474944f12586a70db4b836b26963b0a2717022352c38065313b
                                          • Instruction Fuzzy Hash: BED05E79215A928FE3278A1CC1A8B953FA4EF51B04F4744FAE9008B6A3C368D581D200
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA345F, Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd9f74a15aedd5045d97e4181256726636a99e192f3de1dcdb6ec31b81cdafc8
                                          • Instruction ID: 8658b78ec0fde66992b5c712d121e84cb138ce5d64d568dc18bb0dde017cf005
                                          • Opcode Fuzzy Hash: fd9f74a15aedd5045d97e4181256726636a99e192f3de1dcdb6ec31b81cdafc8
                                          • Instruction Fuzzy Hash: 5FD0A76044E3504BC35626BC690A36DB7D8CB91205F24007EA484801A3C9AD6811C3A3
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E060B, Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8450b4eb635b466a910f57f7789a8a65f8c16c41bff14b60141a6c08edeadb6
                                          • Instruction ID: 71adb334ba0cdd75c3cc02f6cb9dffe328cab530eab5d0b8cf43b320c3a0e693
                                          • Opcode Fuzzy Hash: f8450b4eb635b466a910f57f7789a8a65f8c16c41bff14b60141a6c08edeadb6
                                          • Instruction Fuzzy Hash: 0EC08C30DCE10CCB85208C1090481B2B2BCE783506B0022E0EC0EB6122926684208A9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 012023BC, Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251754028.0000000001202000.00000040.00000001.sdmp, Offset: 01202000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c3fdcc387662d54063783a72ba3e2f111e49fcff377b751170510d3d0189090
                                          • Instruction ID: efce4511a1b6bf3c8ec4f64aefe2cf7c53f44ec1f93c0ab5e2e1e71dd6c87ea0
                                          • Opcode Fuzzy Hash: 4c3fdcc387662d54063783a72ba3e2f111e49fcff377b751170510d3d0189090
                                          • Instruction Fuzzy Hash: 4ED05E342112828BDB16DB1CD198F593BD4AB41B00F0644E9BD008B2A2C3B4E881C600
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E27B0, Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec616d3c3d4be14366462e9ea8cdd63b6bb9d9d8b00caa87d8c60b7114c73903
                                          • Instruction ID: fb4e7c2e0ca30db62132fffb20f4a4a0a5ca9c0a4c92bbba1ee4b204cbff2d2e
                                          • Opcode Fuzzy Hash: ec616d3c3d4be14366462e9ea8cdd63b6bb9d9d8b00caa87d8c60b7114c73903
                                          • Instruction Fuzzy Hash: 48D0C9B490D408DFCF00DFA4D5A45EC76F9EF5A301F1025A5D41AFB2A2DA728E408FA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E0BD6, Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27c6284f297b44cad126bf59c5cbecc257c9efc6717e853c60653228d950d31f
                                          • Instruction ID: a20492335c6e5f35010deaccdd11a50ff6a709bbc581c87e72a132fa53a70ffa
                                          • Opcode Fuzzy Hash: 27c6284f297b44cad126bf59c5cbecc257c9efc6717e853c60653228d950d31f
                                          • Instruction Fuzzy Hash: ECD092B4D44218CFCB50CFA8C48459DBFF4BF09310B104259D829EB794DB70980ACF01
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02DA0070, Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.252023358.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0e70d51b348f60efcd77232b0da5649a9b97c4b1a1c9c2cb1ec7f26aa8cc586
                                          • Instruction ID: fa394981475ebd5e56a2d0a0678e04832cd6ce384b46595ac41840a6b08b5e61
                                          • Opcode Fuzzy Hash: b0e70d51b348f60efcd77232b0da5649a9b97c4b1a1c9c2cb1ec7f26aa8cc586
                                          • Instruction Fuzzy Hash: 66C04C300456058BD229F794B60E7A5B669BB21717F500020A50D61655CFB56854C7FA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E0BFC, Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 653d3e553826f7223b6a0d9e70649ee2a144fb4d0e485984fd43b29dc46f2be1
                                          • Instruction ID: b3318114dc42840d5307a013632176e7e04709effb90c0847cbe6ac60308031e
                                          • Opcode Fuzzy Hash: 653d3e553826f7223b6a0d9e70649ee2a144fb4d0e485984fd43b29dc46f2be1
                                          • Instruction Fuzzy Hash: D5C002B4C4E30DEFCB20CFA9D0840ECBAB8AB0A235F146619D469E7291D67009828F00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0A8E0AB7, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.259015203.000000000A8E0000.00000040.00000001.sdmp, Offset: 0A8E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7d7cd1036f431a19b00c9c14b46d1b9d03bd75802a450ece9aa5c3efa3797ffe
                                          • Instruction ID: 870973613e8c48a3933e4b1559c8465d40f5bca8f19eaac6bc5396804f15db0a
                                          • Opcode Fuzzy Hash: 7d7cd1036f431a19b00c9c14b46d1b9d03bd75802a450ece9aa5c3efa3797ffe
                                          • Instruction Fuzzy Hash: 62C048B0C4A20ADE8B60CFA982801DCBAF4AB0A620B3003298428E3282D2301E028F00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00A23946, Relevance: 2.4, Strings: 1, Instructions: 1106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.251317650.00000000009C2000.00000002.00020000.sdmp, Offset: 009C0000, based on PE: true
                                          • Associated: 00000000.00000002.251308425.00000000009C0000.00000002.00020000.sdmp Download File
                                          • Associated: 00000000.00000002.251366861.0000000000A36000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID: +
                                          • API String ID: 0-2126386893
                                          • Opcode ID: ddc74b950cb7357ef3f5609bf77903e6f81726d50a6d6433639dc06888003eb5
                                          • Instruction ID: 313ba3fc6b63d5c77a818e576b97760858793b1e2538e079ee9151b67605c0ba
                                          • Opcode Fuzzy Hash: ddc74b950cb7357ef3f5609bf77903e6f81726d50a6d6433639dc06888003eb5
                                          • Instruction Fuzzy Hash: 3692166240E3D29FCB138B789DB56D17FB0AE5721471E49DBC4C0CF0A3E228695AD762
                                          Uniqueness

                                          Uniqueness Score: -1.00%