Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Product List.exe

Overview

General Information

Sample Name:Product List.exe
Analysis ID:356641
MD5:df1a8e7ffa630db4a9fa38abaec4c0d2
SHA1:19077607d6f6951499783faec6f1722cb9b2c077
SHA256:8174806d6bbe5f5c713a2a860c36b22d3efe8c7effeb0284bb23de5a9fe68d26
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Product List.exe (PID: 3488 cmdline: 'C:\Users\user\Desktop\Product List.exe' MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
    • schtasks.exe (PID: 4092 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Product List.exe (PID: 1928 cmdline: C:\Users\user\Desktop\Product List.exe MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
    • Product List.exe (PID: 3152 cmdline: C:\Users\user\Desktop\Product List.exe MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Product List.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Product List.exe.41e7fb0.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Product List.exe.2f56b18.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.Product List.exe.41e7fb0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Product List.exe.2fa483c.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Product List.exe' , ParentImage: C:\Users\user\Desktop\Product List.exe, ParentProcessId: 3488, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', ProcessId: 4092

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeReversingLabs: Detection: 34%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Product List.exeVirustotal: Detection: 42%Perma Link
                      Source: Product List.exeReversingLabs: Detection: 34%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Product List.exeJoe Sandbox ML: detected
                      Source: 4.2.Product List.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Product List.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Product List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: global trafficTCP traffic: 192.168.2.3:49732 -> 144.217.69.193:587
                      Source: global trafficTCP traffic: 192.168.2.3:49732 -> 144.217.69.193:587
                      Source: unknownDNS traffic detected: queries for: cdn.onenote.net
                      Source: Product List.exe, 00000004.00000002.472992635.0000000003079000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.472808847.0000000003048000.00000004.00000001.sdmpString found in binary or memory: http://0AqX2o5J52Y7fM61Oxy.com
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://at.engineering
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Product List.exe, 00000004.00000002.477419217.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Product List.exe, 00000000.00000003.206077469.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Product List.exe, 00000000.00000003.206416561.0000000005FC9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlr-t
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTF/
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comU
                      Source: Product List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsp
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                      Source: Product List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritoq
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Product List.exe, 00000000.00000003.203545951.0000000005FB6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
                      Source: Product List.exe, 00000000.00000003.203211032.0000000005FBE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTFf
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cno
                      Source: Product List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/4
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Product List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//p
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0mC
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lte
                      Source: Product List.exe, 00000000.00000003.204830525.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oo
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                      Source: Product List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Product List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comec
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com&
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Product List.exe, 00000000.00000003.202945354.0000000005FCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comwa
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://ztjCrd.com
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Product List.exe, 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.Product List.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b229E1CFDu002d2DFDu002d4D5Bu002dAEE6u002d795BE0355C35u007d/AF02D89Au002dA309u002d4AF8u002d9971u002dE6A4754A7662.csLarge array initialization: .cctor: array initializer size 11949
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_00AF4AD50_2_00AF4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8A6A80_2_02E8A6A8
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8EF3C0_2_02E8EF3C
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8F4180_2_02E8F418
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8D5A00_2_02E8D5A0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8D59B0_2_02E8D59B
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8B9940_2_02E8B994
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_09742C900_2_09742C90
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_097400400_2_09740040
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 3_2_002A4AD53_2_002A4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_008E4AD54_2_008E4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD2D504_2_00DD2D50
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDEA184_2_00DDEA18
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD26184_2_00DD2618
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDCFF04_2_00DDCFF0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD1FE04_2_00DD1FE0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDA7204_2_00DDA720
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDF7F84_2_00DDF7F8
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFACB04_2_00DFACB0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF00404_2_00DF0040
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF2E504_2_00DF2E50
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF46704_2_00DF4670
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFD3854_2_00DFD385
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF68404_2_00DF6840
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF91184_2_00DF9118
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D47A04_2_011D47A0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011DD8204_2_011DD820
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D3CCC4_2_011D3CCC
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D46B04_2_011D46B0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D54904_2_011D5490
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D3CC04_2_011D3CC0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C75C584_2_06C75C58
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7F8704_2_06C7F870
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7A7104_2_06C7A710
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Product List.exe
                      Source: Product List.exe, 00000000.00000000.197720100.0000000000AF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBpIFRNHUGjPNAoJQtYyW.exe4 vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.230847837.0000000009480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.229847265.0000000008F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.229761142.0000000008DD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.231099210.0000000009580000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.231099210.0000000009580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000003.00000000.219271011.00000000002A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000004.00000000.220140658.00000000008E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.469726803.00000000010C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.469821932.0000000001150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.467021746.0000000000D38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBpIFRNHUGjPNAoJQtYyW.exe4 vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Product List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: oObXLwwKgq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 4.2.Product List.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.Product List.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@3/1
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeMutant created: \Sessions\1\BaseNamedObjects\ubWnYfprkyhFCG
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_01
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3F53.tmpJump to behavior
                      Source: Product List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Product List.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Product List.exeVirustotal: Detection: 42%
                      Source: Product List.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe 'C:\Users\user\Desktop\Product List.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Product List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Product List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_09743C6D push dword ptr [edx+ebp*2-75h]; iretd 0_2_09743C77
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD7A37 push edi; retn 0000h4_2_00DD7A39
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFB8B0 push F800D8CCh; retf 4_2_00DFB90D
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7D5B5 push es; ret 4_2_06C7D5BC
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.44517297113
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.44517297113
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3488, type: MEMORY
                      Source: Yara matchFile source: 0.2.Product List.exe.2f56b18.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.2fa483c.2.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeWindow / User API: threadDelayed 6832Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeWindow / User API: threadDelayed 3018Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 1740Thread sleep time: -99271s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 5840Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 3292Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 4796Thread sleep count: 6832 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exe TID: 4796Thread sleep count: 3018 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware T<
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware T
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\Product List.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF0040 LdrInitializeThunk,4_2_00DF0040
                      Source: C:\Users\user\Desktop\Product List.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: Product List.exe, 00000004.00000002.470104819.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Product List.exe, 00000004.00000002.470104819.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Product List.exe, 00000004.00000002.470104819.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Product List.exe, 00000004.00000002.470104819.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Users\user\Desktop\Product List.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Users\user\Desktop\Product List.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3488, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3152, type: MEMORY
                      Source: Yara matchFile source: 4.2.Product List.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.41e7fb0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.41e7fb0.5.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3152, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3488, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3152, type: MEMORY
                      Source: Yara matchFile source: 4.2.Product List.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.41e7fb0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.41e7fb0.5.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation311Scheduled Task/Job1Process Injection12Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery421Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion24SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion24Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Product List.exe42%VirustotalBrowse
                      Product List.exe34%ReversingLabsByteCode-MSIL.Trojan.Wacatac
                      Product List.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\oObXLwwKgq.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\oObXLwwKgq.exe34%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.Product List.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      at.engineering0%VirustotalBrowse
                      cdn.onenote.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.comwa0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Y0mC0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.sajatypeworks.comec0%Avira URL Cloudsafe
                      http://ztjCrd.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/lte0%Avira URL Cloudsafe
                      http://www.fontbureau.comTTF/0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/90%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnC0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp//p0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.founder.com.cn/cno0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comalsp0%Avira URL Cloudsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0et0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/L0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/L0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/L0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/I0%Avira URL Cloudsafe
                      http://www.fontbureau.comU0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnTFf0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/oi0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/oo0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/z0%Avira URL Cloudsafe
                      http://0AqX2o5J52Y7fM61Oxy.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comgritoq0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      at.engineering
                      		144.217.69.193
                      		truefalseunknown
                      cdn.onenote.net
                      		unknown
                      		unknowntrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comwaProduct List.exe, 00000000.00000003.202945354.0000000005FCB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/Y0mCProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comecProduct List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ztjCrd.comProduct List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/lteProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comTTF/Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.krProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/9Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssProduct List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cnCProduct List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp//pProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comProduct List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnoProduct List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/9Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmProduct List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comalspProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ascendercorp.com/typedesigners.htmlProduct List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameProduct List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sakkal.comProduct List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipProduct List.exe, 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                        		high
                                        http://DynDns.comDynDNSProduct List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comFProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://sectigo.com/CPS0Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlr-tProduct List.exe, 00000000.00000003.206416561.0000000005FC9000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/Y0etProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haProduct List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/LProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/IProduct List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comUProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnTFfProduct List.exe, 00000000.00000003.203211032.0000000005FBE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/oiProduct List.exe, 00000000.00000003.204830525.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comaProduct List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/ooProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/zProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://0AqX2o5J52Y7fM61Oxy.comProduct List.exe, 00000004.00000002.472992635.0000000003079000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.472808847.0000000003048000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comgritoqProduct List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comlProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/Product List.exe, 00000000.00000003.203545951.0000000005FB6000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnProduct List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/qProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sakkal.com&Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.galapagosdesign.com/4Product List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comcomFProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                                		high
                                                http://at.engineeringProduct List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/hProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/aProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/Product List.exe, 00000000.00000003.206077469.0000000005FEE000.00000004.00000001.sdmpfalse
                                                  		high

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  144.217.69.193
                                                  		unknownCanada
                                                  		16276OVHFRfalse

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Emerald
                                                  Analysis ID:356641
                                                  Start date:23.02.2021
                                                  Start time:13:52:10
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 8m 32s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:Product List.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:35
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@8/5@3/1
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                  • Quality average: 17.4%
                                                  • Quality standard deviation: 29%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 85
                                                  • Number of non-executed functions: 4
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, wermgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.139.144, 40.88.32.150, 52.255.188.83, 13.64.90.137, 84.53.167.113, 2.17.179.193, 13.107.42.23, 13.107.5.88, 93.184.220.29, 20.190.160.67, 20.190.160.132, 20.190.160.8, 20.190.160.75, 20.190.160.6, 20.190.160.71, 20.190.160.2, 20.190.160.69, 23.218.209.198, 51.104.139.180, 204.79.197.200, 13.107.21.200, 23.218.208.56, 23.211.6.115, 2.20.142.210, 2.20.142.209, 51.104.144.132, 92.122.213.247, 92.122.213.194, 20.54.26.129
                                                  • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, cdn.onenote.net.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, ams2.next.a.prd.aadg.trafficmanager.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, e15275.g.akamaiedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com, skypedataprdcolwus17.cloudapp.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, login.msa.msidentity.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, l-0014.l-msedge.net, e16646.dscg.akamaiedge.net
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  13:53:02API Interceptor769x Sleep call for process: Product List.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  OVHFRtEQjO7fbhJ.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  qRoUqXAvyz.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  v9tWEeYg4u.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  1sAKtAszhK.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  ClfwZpeLXt.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  svhost.exeGet hashmaliciousBrowse
                                                  • 54.37.11.130
                                                  SBll8nnAVc.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                                  • 51.68.21.188
                                                  0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                                  • 94.23.162.163
                                                  SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                                  • 51.68.21.186
                                                  Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                  • 198.27.88.111
                                                  Quotation Reques.exeGet hashmaliciousBrowse
                                                  • 51.83.43.226
                                                  8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                  • 51.68.21.186
                                                  iKohUejteO.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  PO No. 104393019_pdf.exeGet hashmaliciousBrowse
                                                  • 51.195.53.221
                                                  nTqV6fxGXT.exeGet hashmaliciousBrowse
                                                  • 51.254.175.184
                                                  Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                                                  • 66.70.204.222
                                                  File Downloader [14.5].apkGet hashmaliciousBrowse
                                                  • 51.75.61.103
                                                  PO_210222.exeGet hashmaliciousBrowse
                                                  • 213.186.33.5
                                                  SecuriteInfo.com.Trojan.MinerNET.8.3277.exeGet hashmaliciousBrowse
                                                  • 149.202.83.171

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Product List.exe.log
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):1406
                                                  Entropy (8bit):5.341099307467139
                                                  Encrypted:false
                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                                  MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                                  SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                                  SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                                  SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                                  Malicious:true
                                                  Reputation:moderate, very likely benign file
                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                  C:\Users\user\AppData\Local\Temp\tmp3F53.tmp
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1643
                                                  Entropy (8bit):5.19496303324492
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBp0dNtn:cbh47TlNQ//rydbz9I3YODOLNdq3fkn
                                                  MD5:6330D491F1248EE1C323C939481B4EA4
                                                  SHA1:7C410346DC54E77BE2AC9DC46D0C5B339269B5F4
                                                  SHA-256:8982D3732605043BDBB365D07952F272EBEF315621084A1F30A8D5F65AEE814A
                                                  SHA-512:5A3329227BB3418E738B5D3323043F7414D7F6EDED2FB00A0603A61C1445B33FA746EF92F9421FF337905D19C3D36F9D0232979EED49F5FFFFCE10EE04707EA1
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                  C:\Users\user\AppData\Roaming\oObXLwwKgq.exe
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):578048
                                                  Entropy (8bit):7.435582170366283
                                                  Encrypted:false
                                                  SSDEEP:12288:LPgF0vXu1MRLLRE883qya1nuKbDNInpN8JK6rNMgg3vWR:DXuAm88aya14MJ7Zfr
                                                  MD5:DF1A8E7FFA630DB4A9FA38ABAEC4C0D2
                                                  SHA1:19077607D6F6951499783FAEC6F1722CB9B2C077
                                                  SHA-256:8174806D6BBE5F5C713A2A860C36B22D3EFE8C7EFFEB0284BB23DE5A9FE68D26
                                                  SHA-512:7E7C2E8D94AFAE614291A9ADD08EE21EC1D0045ED30F0912A1572AA0D4090A214DE0AC669CDB0F87A7BBA35E9CA82FD5AAABE88871C1F5567BA2C3FB26262973
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 34%
                                                  Reputation:low
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............P.............~.... ........@.. ....................... ............@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........s..\i..........(4...?...........................................0..#.......+.&...(....(..........(.....o.....*..................0..........+.&..8......8.....+*...a.+....a...#YE............B...M....>.+....<.+....YE............&.../...>...M...V..._...z........9.+......&.?.+.+.....+......&...8x.....6.8o.....(.......8`.....(.......8Q.......8H.....7.8?.....(....+.(....8)......8$.....(....+..8.......8....*.0..........+.&...++..#a.+...$a8.......X+Y.#(.....+......&...+...(0.
                                                  C:\Users\user\AppData\Roaming\oObXLwwKgq.exe:Zone.Identifier
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                  C:\Users\user\AppData\Roaming\q0ktu44q.k1d\Chrome\Default\Cookies
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):0.6970840431455908
                                                  Encrypted:false
                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                  MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                  SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                  SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                  SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.435582170366283
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                  File name:Product List.exe
                                                  File size:578048
                                                  MD5:df1a8e7ffa630db4a9fa38abaec4c0d2
                                                  SHA1:19077607d6f6951499783faec6f1722cb9b2c077
                                                  SHA256:8174806d6bbe5f5c713a2a860c36b22d3efe8c7effeb0284bb23de5a9fe68d26
                                                  SHA512:7e7c2e8d94afae614291a9add08ee21ec1d0045ed30f0912a1572aa0d4090a214de0ac669cdb0f87a7bba35e9ca82fd5aaabe88871c1f5567ba2c3fb26262973
                                                  SSDEEP:12288:LPgF0vXu1MRLLRE883qya1nuKbDNInpN8JK6rNMgg3vWR:DXuAm88aya14MJ7Zfr
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............P.............~.... ........@.. ....................... ............@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x48dd7e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x60349BA0 [Tue Feb 23 06:07:28 2021 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8dd2c0x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x1000.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x8bd840x8be00False0.749713751117data7.44517297113IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x8e0000x10000x1000False0.40185546875data4.99794131335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x900000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0x8e0900x334data
                                                  RT_MANIFEST0x8e3d40xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright 2018
                                                  Assembly Version1.0.0.0
                                                  InternalNameIEnumMoniker.exe
                                                  FileVersion1.0.0.0
                                                  CompanyName
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameRegisterVB
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionRegisterVB
                                                  OriginalFilenameIEnumMoniker.exe

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 23, 2021 13:54:46.915697098 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.050697088 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:47.050853014 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.338830948 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:47.339210987 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.474318027 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:47.474642992 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.614777088 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:47.662908077 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.846215963 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011452913 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011478901 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011496067 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011507988 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011564016 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.011601925 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.015187025 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.044770956 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.179675102 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.180944920 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.236499071 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.371718884 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.375401974 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.510875940 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.511482954 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.686083078 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.688595057 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.689361095 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.824500084 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.824903965 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.001992941 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.153862000 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.154293060 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.289295912 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.292339087 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.292433023 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.292525053 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.292598963 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.430084944 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.430118084 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.430207968 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:50.126668930 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:50.244594097 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.293281078 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.429964066 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:51.430064917 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.453202009 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.542722940 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.677608013 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:51.677746058 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.935015917 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:51.935560942 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.069746971 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.070053101 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.248456955 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.264549017 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.265181065 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.399315119 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542656898 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542690039 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542714119 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542730093 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542865038 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.552720070 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.555233002 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.688100100 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.689156055 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.692828894 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.834271908 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.834716082 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.967694998 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.968785048 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.125047922 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.129772902 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.262490034 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.262960911 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.434267998 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.482836962 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.483937025 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.617989063 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.619812012 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620024920 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620177984 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620332003 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620534897 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620682001 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620770931 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620884895 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.751034021 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751060009 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751230955 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751306057 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751576900 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751705885 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751885891 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751890898 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:54.474220037 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:54.535514116 CET49738587192.168.2.3144.217.69.193

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 23, 2021 13:52:49.658979893 CET4987353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:49.707695961 CET53498738.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:51.271466017 CET5319653192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:51.320465088 CET53531968.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:52.225564957 CET5677753192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:52.274302959 CET53567778.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:54.334934950 CET5864353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:54.383745909 CET53586438.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:55.393558025 CET6098553192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:55.446018934 CET53609858.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:56.323122025 CET5020053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:56.371922970 CET53502008.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:57.270813942 CET5128153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:57.323899984 CET53512818.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:58.269529104 CET4919953192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:58.321420908 CET53491998.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:59.107702017 CET5062053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:59.156367064 CET53506208.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:00.018372059 CET6493853192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:00.069804907 CET53649388.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:00.927954912 CET6015253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:00.981184959 CET53601528.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:01.824388027 CET5754453192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:01.873764038 CET53575448.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:03.048409939 CET5598453192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:03.102969885 CET53559848.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:03.858500957 CET6418553192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:03.907257080 CET53641858.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:04.832976103 CET6511053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:04.884597063 CET53651108.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:13.953787088 CET5836153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:13.954802036 CET6349253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.012274981 CET53583618.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.013675928 CET53634928.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.524161100 CET5872253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.524230003 CET5659653192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.524290085 CET6410153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.572988033 CET53587228.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.573014975 CET53565968.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.573132038 CET53641018.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.926719904 CET6083153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.978131056 CET53608318.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:17.163664103 CET6010053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:17.212567091 CET53601008.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:17.334800005 CET5319553192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:17.384818077 CET53531958.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:21.835669994 CET5014153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:21.906491995 CET53501418.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:22.357269049 CET5302353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:22.406094074 CET53530238.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:22.436091900 CET4956353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:22.487602949 CET53495638.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:27.367983103 CET5135253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:27.432729959 CET53513528.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:37.493057966 CET5934953192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:37.557876110 CET53593498.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:45.580605984 CET5708453192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:45.647797108 CET53570848.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:57.446793079 CET5882353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:57.495541096 CET53588238.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:54:35.790575027 CET5756853192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:54:35.842123985 CET53575688.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:54:46.637748003 CET5054053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:54:46.897916079 CET53505408.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:54:48.828274012 CET5436653192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:54:48.888101101 CET53543668.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:54:51.482954025 CET5303453192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:54:51.540743113 CET53530348.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:55:01.375653982 CET5776253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:55:01.450911999 CET53577628.8.8.8192.168.2.3

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Feb 23, 2021 13:53:13.954802036 CET192.168.2.38.8.8.80xdb67Standard query (0)cdn.onenote.netA (IP address)IN (0x0001)
                                                  Feb 23, 2021 13:54:46.637748003 CET192.168.2.38.8.8.80xf481Standard query (0)at.engineeringA (IP address)IN (0x0001)
                                                  Feb 23, 2021 13:54:51.482954025 CET192.168.2.38.8.8.80xb902Standard query (0)at.engineeringA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Feb 23, 2021 13:53:14.013675928 CET8.8.8.8192.168.2.30xdb67No error (0)cdn.onenote.netcdn.onenote.net.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                  Feb 23, 2021 13:53:17.212567091 CET8.8.8.8192.168.2.30xd4fcNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                  Feb 23, 2021 13:54:46.897916079 CET8.8.8.8192.168.2.30xf481No error (0)at.engineering144.217.69.193A (IP address)IN (0x0001)
                                                  Feb 23, 2021 13:54:51.540743113 CET8.8.8.8192.168.2.30xb902No error (0)at.engineering144.217.69.193A (IP address)IN (0x0001)

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Feb 23, 2021 13:54:47.338830948 CET58749732144.217.69.193192.168.2.3220-server112.spotservhost.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 07:54:46 -0500
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Feb 23, 2021 13:54:47.339210987 CET49732587192.168.2.3144.217.69.193EHLO 721680
                                                  Feb 23, 2021 13:54:47.474318027 CET58749732144.217.69.193192.168.2.3250-server112.spotservhost.com Hello 721680 [84.17.52.38]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-STARTTLS
                                                  250 HELP
                                                  Feb 23, 2021 13:54:47.474642992 CET49732587192.168.2.3144.217.69.193STARTTLS
                                                  Feb 23, 2021 13:54:47.614777088 CET58749732144.217.69.193192.168.2.3220 TLS go ahead
                                                  Feb 23, 2021 13:54:51.935015917 CET58749738144.217.69.193192.168.2.3220-server112.spotservhost.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 07:54:51 -0500
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Feb 23, 2021 13:54:51.935560942 CET49738587192.168.2.3144.217.69.193EHLO 721680
                                                  Feb 23, 2021 13:54:52.069746971 CET58749738144.217.69.193192.168.2.3250-server112.spotservhost.com Hello 721680 [84.17.52.38]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-STARTTLS
                                                  250 HELP
                                                  Feb 23, 2021 13:54:52.070053101 CET49738587192.168.2.3144.217.69.193STARTTLS
                                                  Feb 23, 2021 13:54:52.264549017 CET58749738144.217.69.193192.168.2.3220 TLS go ahead

                                                  Code Manipulations

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: Product List.exe PID: 3488 Parent PID: 5604

                                                  General

                                                  Start time:13:52:56
                                                  Start date:23/02/2021
                                                  Path:C:\Users\user\Desktop\Product List.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\Product List.exe'
                                                  Imagebase:0xaf0000
                                                  File size:578048 bytes
                                                  MD5 hash:DF1A8E7FFA630DB4A9FA38ABAEC4C0D2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: schtasks.exe PID: 4092 Parent PID: 3488

                                                  General

                                                  Start time:13:53:05
                                                  Start date:23/02/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                                                  Imagebase:0xc60000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: conhost.exe PID: 3920 Parent PID: 4092

                                                  General

                                                  Start time:13:53:05
                                                  Start date:23/02/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6b2800000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: Product List.exe PID: 1928 Parent PID: 3488

                                                  General

                                                  Start time:13:53:06
                                                  Start date:23/02/2021
                                                  Path:C:\Users\user\Desktop\Product List.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\Product List.exe
                                                  Imagebase:0x2a0000
                                                  File size:578048 bytes
                                                  MD5 hash:DF1A8E7FFA630DB4A9FA38ABAEC4C0D2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: Product List.exe PID: 3152 Parent PID: 3488

                                                  General

                                                  Start time:13:53:06
                                                  Start date:23/02/2021
                                                  Path:C:\Users\user\Desktop\Product List.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\Product List.exe
                                                  Imagebase:0x8e0000
                                                  File size:578048 bytes
                                                  MD5 hash:DF1A8E7FFA630DB4A9FA38ABAEC4C0D2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Chronological Activities

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >

                                                    Analysis Process: Product List.exe PID: 3488 Parent PID: 5604 Product List.exeCOMMON

                                                    Executed Functions

                                                    Function 09742C90, Relevance: 6.6, Strings: 5, Instructions: 370COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.231149271.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (2l$8^l$8^l$S$[
                                                    • API String ID: 0-4178118929
                                                    • Opcode ID: 9bc5a3a92432b39ce94971844518ca45243f4ee45c5a3eddaf87d509bd853ea5
                                                    • Instruction ID: 8b73ed17866c379d970db7309a1813344fe8ddd2a8143c25f6221a18f5a33eea
                                                    • Opcode Fuzzy Hash: 9bc5a3a92432b39ce94971844518ca45243f4ee45c5a3eddaf87d509bd853ea5
                                                    • Instruction Fuzzy Hash: 1AE11671E04108CFCB04DFA9D594AEDB7F6AF8D314F158169E42AAB3A6DB309845CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8A6A8, Relevance: .6, Instructions: 647COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63fbe2783295362c9cbb88c031204ee3764d7e65d3cb833f57336659e9a6bbc4
                                                    • Instruction ID: 1ab5a3a882eb98058e3aff5fc262ef6283b54b2aa5be77a9172780612ee4ff43
                                                    • Opcode Fuzzy Hash: 63fbe2783295362c9cbb88c031204ee3764d7e65d3cb833f57336659e9a6bbc4
                                                    • Instruction Fuzzy Hash: 00526A71A406198FCB14EF54C884AAEB7B2FF44308F5584AAE94EAB351D770F985CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8EF3C, Relevance: .2, Instructions: 233COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6efeb59603220e8a27f8dc4c8bb02694bc445b8d66b2512f1c0288fcb9e452fd
                                                    • Instruction ID: d17a1f634490ba0a7b3de872a52bc0233525a5f697e86186cdfef0a6f54ccba7
                                                    • Opcode Fuzzy Hash: 6efeb59603220e8a27f8dc4c8bb02694bc445b8d66b2512f1c0288fcb9e452fd
                                                    • Instruction Fuzzy Hash: 7991B475E403198FCB04EFA4D8549DDB7BAFF89304F548615E40AAF760EB30A945CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8F418, Relevance: .2, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ce87a574b12a30fd3415e8bf151b6bd7b22ac10897634f384e799aa5f031a6f
                                                    • Instruction ID: 3b76104608cc0d5d853bd8c9f5e500a2a187ff428efcbe0aaf9951b9fe0c177e
                                                    • Opcode Fuzzy Hash: 4ce87a574b12a30fd3415e8bf151b6bd7b22ac10897634f384e799aa5f031a6f
                                                    • Instruction Fuzzy Hash: FB81A035E403099FCB04EFE1D8548DDB7BAFF89314F548615F409ABA60EB30A995DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 09740040, Relevance: .2, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.231149271.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae8a5ca5049aa500a3d3f8395b6bd23e2054ca61d75f00122ec4c811ac6ca60a
                                                    • Instruction ID: 5a818d4857fcc77e2e5235847666da43790e9e680a2065e3299bb4973d87910d
                                                    • Opcode Fuzzy Hash: ae8a5ca5049aa500a3d3f8395b6bd23e2054ca61d75f00122ec4c811ac6ca60a
                                                    • Instruction Fuzzy Hash: 1F61F7B2D046298BDB24CF66CC447DDBBB6BF8A300F1085EAD559A7251EBB05AC5CF40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8BD14, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E8EE2A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 661063598c8f00bc40a0f2c065b574c5549f958a3dbdd3f6176251fd4e082950
                                                    • Instruction ID: 5b82e056ccaf907fee763da2451c6581271a8b346ccb867f0dad803eb039ee8a
                                                    • Opcode Fuzzy Hash: 661063598c8f00bc40a0f2c065b574c5549f958a3dbdd3f6176251fd4e082950
                                                    • Instruction Fuzzy Hash: 5F51CFB1D00309DFDB14DFAAD884ADEBBB5FF88314F24812AE819AB250D7749945CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8ED0C, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E8EE2A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: e19f7b2c748bf65b81bbbeeea41d76760cf117f3b51e43da23c1602df60460a8
                                                    • Instruction ID: 99ba6f7e02b83664e361ca222d1d1deef1f70b3a40d4446ee379205373ce21ea
                                                    • Opcode Fuzzy Hash: e19f7b2c748bf65b81bbbeeea41d76760cf117f3b51e43da23c1602df60460a8
                                                    • Instruction Fuzzy Hash: 8651E1B1D00308DFDB14DFA9D880ADEBBB5FF48314F24852AE819AB250D7709885CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E88270, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E882F7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 0ec13b6e8d6eed2f1498633fb2c2bc15f6e1b401d38ef53c9cf230a0a7a645a9
                                                    • Instruction ID: 12357259cb9e59831ac4d7a26c01a0246a6882858da2145abe7c84e67c3cdbf4
                                                    • Opcode Fuzzy Hash: 0ec13b6e8d6eed2f1498633fb2c2bc15f6e1b401d38ef53c9cf230a0a7a645a9
                                                    • Instruction Fuzzy Hash: D321D3B5900248DFDB10DFAAD984ADEFBF8FB48324F14841AE959A3350D374A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E88272, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E882F7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 362dfd5021f496a865eb442e3885198a198336cff523db4f5fbc1ab2cce698e3
                                                    • Instruction ID: df8e8e978c7d11a08ac6afbbfa2de11331c48e05f4431197b5274c97a3acc8cc
                                                    • Opcode Fuzzy Hash: 362dfd5021f496a865eb442e3885198a198336cff523db4f5fbc1ab2cce698e3
                                                    • Instruction Fuzzy Hash: EE21D3B5900248DFDB10DFAAD984AEEFBF4FB48324F14841AE959A3350C374A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8BBD8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02E8CF21,00000800,00000000,00000000), ref: 02E8D132
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 4509fe75fa19fd42d0a0037ad046a91de7e52f3a8908d435f13787fd8d0feb0c
                                                    • Instruction ID: 824a77f28e14a6c6827911ac18ba51550794f83ea7a1c1a1dec1fe8cbb7a920f
                                                    • Opcode Fuzzy Hash: 4509fe75fa19fd42d0a0037ad046a91de7e52f3a8908d435f13787fd8d0feb0c
                                                    • Instruction Fuzzy Hash: 4B11E7B59002099FCB10DFAAD844BEEFBF5EB88324F14841AE559A7640C375A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8D0C3, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02E8CF21,00000800,00000000,00000000), ref: 02E8D132
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: f8f580eba50b2770f773d476128936eaafb5a1d0c75550b595978eeddf643fba
                                                    • Instruction ID: e34b4b4d4ab37acd27c5e44970ef6c1443182b6542c00d54af93548f7595cc4b
                                                    • Opcode Fuzzy Hash: f8f580eba50b2770f773d476128936eaafb5a1d0c75550b595978eeddf643fba
                                                    • Instruction Fuzzy Hash: 0511E4B69002099FCB14DFAAD844ADEFBF9EB88324F14842AE459A7640C375A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8CE40, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 02E8CEA6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: e0531b5d12578e7d273dedc3f3cde2427ef0af76948e8f1f9b4f8154381c692b
                                                    • Instruction ID: e2fe95b7fc7d19d72a1a4c21667df4e8824d1b9467d4dc99f042fc20772c4895
                                                    • Opcode Fuzzy Hash: e0531b5d12578e7d273dedc3f3cde2427ef0af76948e8f1f9b4f8154381c692b
                                                    • Instruction Fuzzy Hash: BB1113B6C002098FCB24DF9AD444BDEFBF4EB89224F10841AD859B7600C374A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8CE3D, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 02E8CEA6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: a6301d5639ee23b1e37308068c9575eeea5cc93670a85e3b0c76033169014bb7
                                                    • Instruction ID: ba4fb72aa4844bb7a3f1dd18ce604d7e10f1e851ec7a18087a783ebdf945dbdf
                                                    • Opcode Fuzzy Hash: a6301d5639ee23b1e37308068c9575eeea5cc93670a85e3b0c76033169014bb7
                                                    • Instruction Fuzzy Hash: 851113B6C002098FCB24DFAAD544BEEFBF4EB89224F10842AD859B7600C374A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 09741948, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 097419AD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.231149271.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 4b092c1025759635cd6bd66aefb3ab38888a981be04a54e042d47653841bfc41
                                                    • Instruction ID: 3515b203fbcfd310d7ae61e87ac29cae0e1be83c963fb4c42226230a5b0dec14
                                                    • Opcode Fuzzy Hash: 4b092c1025759635cd6bd66aefb3ab38888a981be04a54e042d47653841bfc41
                                                    • Instruction Fuzzy Hash: 3D11D3B5800249DFDB20DF9AD984BDEBBF8EB98324F14841AE455A7710C375A584CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 09741950, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 097419AD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.231149271.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 114deb5778f8bff9a2e8c56b3952162f568dbff1f3f02cee88e69bef30228a6b
                                                    • Instruction ID: c9d5e769fb029cb74ec82988c56164639241da463319e439af23c95964d7dfbb
                                                    • Opcode Fuzzy Hash: 114deb5778f8bff9a2e8c56b3952162f568dbff1f3f02cee88e69bef30228a6b
                                                    • Instruction Fuzzy Hash: D511E2B58003499FDB20DF9AD985BDEBBF8FB98324F10841AE555A7700C375A984CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00AF4AD5, Relevance: .8, Instructions: 828COMMONCrypto
                                                    Download Yara Rule
                                                    C-Code - Quality: 71%
                                                    			E00AF4AD5() {
				void* _t233;
				intOrPtr* _t234;
				intOrPtr* _t237;
				void* _t242;
				intOrPtr* _t561;
				intOrPtr* _t565;
				void* _t568;
				signed int* _t569;
				signed int* _t570;
				signed char _t612;
				signed char _t613;
				signed char _t614;
				intOrPtr* _t652;
				intOrPtr* _t689;
				intOrPtr* _t712;

				_t234 = _t233 -  *[ss:edx];
				_push(ss);
				_t569 = _t568 +  *((intOrPtr*)(_t568 + 0x19));
				 *_t234 =  *_t234 + _t234;
				 *_t652 =  *_t652 + _t612;
				_t613 = _t612 ^  *_t569;
				_push(ss);
				_t237 = _t234 + 0x2b +  *_t689 +  *_t569;
				if(_t237 < 0) {
					 *_t237 =  *_t237 + _t237;
					_t565 = _t237 + 0x2a -  *[ss:edx];
					_push(ss);
					_t569 = _t569 + _t569[6];
					 *_t565 =  *_t565 + _t565;
					 *_t652 =  *_t652 + _t613;
					_t613 = _t613 ^  *_t569;
					_push(ss);
					_t237 = _t565 + 0x2b +  *_t689 +  *_t569;
					_t712 = _t237;
				}
				if(_t712 < 0) {
					 *_t237 =  *_t237 + _t237;
					_t561 = _t237 + 0x2a -  *[ss:edx];
					_push(ss);
					_t570 = _t569 + _t569[6];
					 *_t561 =  *_t561 + _t561;
					 *_t652 =  *_t652 + _t613;
					_t614 = _t613 ^  *_t570;
					_push(ss);
					_t242 = _t561 + 0x2b +  *_t689 +  *_t570;
					if (_t242 >= 0) goto L6;
				}
				asm("sbb eax, [eax]");
			}


















                                                    0x00af4ad5
                                                    0x00af4ad8
                                                    0x00af4ada
                                                    0x00af4add
                                                    0x00af4ae1
                                                    0x00af4ae3
                                                    0x00af4ae7
                                                    0x00af4ae8
                                                    0x00af4aea
                                                    0x00af4aec
                                                    0x00af4af0
                                                    0x00af4af3
                                                    0x00af4af5
                                                    0x00af4af8
                                                    0x00af4afc
                                                    0x00af4afe
                                                    0x00af4b02
                                                    0x00af4b03
                                                    0x00af4b03
                                                    0x00af4b03
                                                    0x00af4b05
                                                    0x00af4b07
                                                    0x00af4b0b
                                                    0x00af4b0e
                                                    0x00af4b10
                                                    0x00af4b13
                                                    0x00af4b17
                                                    0x00af4b19
                                                    0x00af4b1d
                                                    0x00af4b1e
                                                    0x00af4b20
                                                    0x00af4b20
                                                    0x00af4b21

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.221289603.0000000000AF2000.00000002.00020000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000000.00000002.221280443.0000000000AF0000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39bfae65a02c9014fc7907f0206ee41218fb8e51ef296a8b113a62b6ae5ff8f9
                                                    • Instruction ID: 243a3a341988a1a7e97529e7e577551368974c4f39c2b820ed37c9643cb40031
                                                    • Opcode Fuzzy Hash: 39bfae65a02c9014fc7907f0206ee41218fb8e51ef296a8b113a62b6ae5ff8f9
                                                    • Instruction Fuzzy Hash: 7562F86140E7C69FCB138FB89DF55D1BFB09E6B24031E06C7D5C08E0ABD518A65ACB22
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8D5A0, Relevance: .3, Instructions: 315COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9fc4f1ab6a641ef8470e5f6cc279c25bd5ba6523f92439916b926c1f14d79bbd
                                                    • Instruction ID: 1c43c30e06ca387dc1edd2f20272ee1b5a9865c1418d6701d3cb78da537fadc8
                                                    • Opcode Fuzzy Hash: 9fc4f1ab6a641ef8470e5f6cc279c25bd5ba6523f92439916b926c1f14d79bbd
                                                    • Instruction Fuzzy Hash: 3612B5F1ED17469AEB10CF66E8981893BA1B745328FD14B08D2621FAD1D7B421EECF44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8B994, Relevance: .3, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee9e77e8cb8bbee6ab61d44b0da0b12b12e3f1f624d078f4e584d4f1e3ff64a7
                                                    • Instruction ID: 4217e4790153915d231095734d74451e8e849ccb582a07e321868ebcdf6fd743
                                                    • Opcode Fuzzy Hash: ee9e77e8cb8bbee6ab61d44b0da0b12b12e3f1f624d078f4e584d4f1e3ff64a7
                                                    • Instruction Fuzzy Hash: 57A16F32E40219CFCF19EFA5C8445DEB7B6FF85304B25956AE909BB220EB31A945CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02E8D59B, Relevance: .2, Instructions: 218COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.222189326.0000000002E80000.00000040.00000001.sdmp, Offset: 02E80000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 66e984ddd7527bde164a57468980e4fe9148667b7707abf19579f0bd432cc275
                                                    • Instruction ID: cce9d9e2761880b08aa0f2d13aade45fa0e91cb6ae00c37a1d2184ddcbd609cc
                                                    • Opcode Fuzzy Hash: 66e984ddd7527bde164a57468980e4fe9148667b7707abf19579f0bd432cc275
                                                    • Instruction Fuzzy Hash: BCC11AF1ED17458ADB10DF66E8981893BA1BB85328FD14B08D1622FAD1D7B430EACF54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Analysis Process: Product List.exe PID: 3152 Parent PID: 3488 Product List.exeCOMMON

                                                    Executed Functions

                                                    Function 00DF4670, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 489libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: \$\$\$\
                                                    • API String ID: 2994545307-3238275731
                                                    • Opcode ID: a2edc0e4d3624fe435821917d1cafa8546c715004eb9518b44da7d7c8e35acb8
                                                    • Instruction ID: 759e3ca0b030c1fce6becb34a63ce649cab9a40da466b13e420b958edebf5354
                                                    • Opcode Fuzzy Hash: a2edc0e4d3624fe435821917d1cafa8546c715004eb9518b44da7d7c8e35acb8
                                                    • Instruction Fuzzy Hash: 13029C30A012098FDB14EBB4D8547BF7BB2AF84358F15C529D605EB391EB74DC4A8BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD1FE0, Relevance: 4.3, Strings: 3, Instructions: 514COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: D0l$D0l$D0l
                                                    • API String ID: 0-195073329
                                                    • Opcode ID: ea0f5f85b7b559b0c3d05e23af606936914093f3ab5ca1021643810e315c5716
                                                    • Instruction ID: 94133cd326884048fad83be3b60cd3925ec6126647401946451b9626535c2195
                                                    • Opcode Fuzzy Hash: ea0f5f85b7b559b0c3d05e23af606936914093f3ab5ca1021643810e315c5716
                                                    • Instruction Fuzzy Hash: C9128070A002198FDB24DF64C854BAEBBF6AF98304F158469E946EB391DF34DD45CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DF0040, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: d07536fe23340b11eefe97db4ef0a519253c08525fb3e6aa08f6a28a3bf0cc53
                                                    • Instruction ID: 39043c107d29de311254b9ac65a25e498b405ecba9a956d5e0c7681874315430
                                                    • Opcode Fuzzy Hash: d07536fe23340b11eefe97db4ef0a519253c08525fb3e6aa08f6a28a3bf0cc53
                                                    • Instruction Fuzzy Hash: C0620830E006198FCB24EF78C8546EEB7B2AF89304F1185A9D54AAB351EF709E85CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDA720, Relevance: 2.0, Strings: 1, Instructions: 740COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (N
                                                    • API String ID: 0-946558477
                                                    • Opcode ID: ae9a0113cc8bb53bf4adbdf52c5b2d3c1d26ea11d596f11b3b1e31ee4d49489e
                                                    • Instruction ID: 2899085c80c06e5765679543c877e496695c5436100c0fc88d4c9397789abf44
                                                    • Opcode Fuzzy Hash: ae9a0113cc8bb53bf4adbdf52c5b2d3c1d26ea11d596f11b3b1e31ee4d49489e
                                                    • Instruction Fuzzy Hash: 96427F30B042058FCB14DBB8D8546AEBBB2EF85314F15896AE406DB794EF34DC46CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06C7F870, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.477531375.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 260b40ddce70b37d82bbf42ceffc2fff60f196fac47a7ec7e2923a931c1a8ea8
                                                    • Instruction ID: de0a2252014ac7e234b34a1cd5a97f85dd44093cc3a6a0ac277782dc229593ce
                                                    • Opcode Fuzzy Hash: 260b40ddce70b37d82bbf42ceffc2fff60f196fac47a7ec7e2923a931c1a8ea8
                                                    • Instruction Fuzzy Hash: A7F13830A00209CFDB54DFA9C984BADBBF1FF88314F15856DE419AF2A5DB70A945CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCFF0, Relevance: 1.1, Instructions: 1061COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62db55ee86a9812fd7a3c9ff88f90f6f8d6096d1e70ce5f0fc266ca7da880919
                                                    • Instruction ID: 71f6120754c85de4721334d135579bfc3842ef9fbcbf14c10c3db6ea935f4109
                                                    • Opcode Fuzzy Hash: 62db55ee86a9812fd7a3c9ff88f90f6f8d6096d1e70ce5f0fc266ca7da880919
                                                    • Instruction Fuzzy Hash: 83927C30B002048FCB15EBB4D858BAEBBF2AF89304F5585A9E549EB395DF349C45CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD2D50, Relevance: .9, Instructions: 903COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b875060c857d27714643ebe47eddca925d4395bdd4a407c9875d79738cba1c2b
                                                    • Instruction ID: 33814f8be663528f37d19588186cd237246d196a8fd7beab2308ef0634b3d525
                                                    • Opcode Fuzzy Hash: b875060c857d27714643ebe47eddca925d4395bdd4a407c9875d79738cba1c2b
                                                    • Instruction Fuzzy Hash: BB823B70A006099FCB14DF68C984AAEBBF2FF48354F19855AE445DB3A1DB30EE41DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDEA18, Relevance: .5, Instructions: 483COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0547575d404ccebe008977f7a58ed1226da2052ad461f00f7226f8b3ae519a34
                                                    • Instruction ID: b825f995847587391c30ccdbeef9ba983653cf5d17d0031b6a69c341a7f24a1e
                                                    • Opcode Fuzzy Hash: 0547575d404ccebe008977f7a58ed1226da2052ad461f00f7226f8b3ae519a34
                                                    • Instruction Fuzzy Hash: 13025D30B002059FCB14EFB8D8586ADBBF2EF88314F198566D40AEB396DB35DC458B61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD2618, Relevance: .4, Instructions: 442COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8132bb5dda1e134247af1746afcbda07250edfc800d5ef5b41ab2aee945feb73
                                                    • Instruction ID: 741feac2c76c72ca68d1e2ffe1acc5961112a3e804cb6e20395fcfc3c1507ae9
                                                    • Opcode Fuzzy Hash: 8132bb5dda1e134247af1746afcbda07250edfc800d5ef5b41ab2aee945feb73
                                                    • Instruction Fuzzy Hash: 10022B31A00119DFCB14CFA8C984ABDBBB6FF68310F19816AE815AB365D771ED41CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011D6B50, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 011D6BB0
                                                    • GetCurrentThread.KERNEL32 ref: 011D6BED
                                                    • GetCurrentProcess.KERNEL32 ref: 011D6C2A
                                                    • GetCurrentThreadId.KERNEL32 ref: 011D6C83
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID: `
                                                    • API String ID: 2063062207-4168407445
                                                    • Opcode ID: ce852d35047034a9c4246325fb6f21db96c5e612d0aec24bc10b022df6b2bbd0
                                                    • Instruction ID: fea466aed6d5c99f625d39171790716864ed63e9bfe3b5cf3afcceb44fa67b39
                                                    • Opcode Fuzzy Hash: ce852d35047034a9c4246325fb6f21db96c5e612d0aec24bc10b022df6b2bbd0
                                                    • Instruction Fuzzy Hash: 945123B0E006488FDB14DFAAD648BAEBBF0EF48314F248499E519B7360D774A944CF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD1AC0, Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Xcl$Xcl
                                                    • API String ID: 0-2795669184
                                                    • Opcode ID: d5f2d8f87c5289815c9c6a488775e9d8d2a03514ed5514292d5b17a1542ae99e
                                                    • Instruction ID: 6a4aff77b1d4392397fa03c5b0416a56bd63864bfb091c6807ba19060e088afb
                                                    • Opcode Fuzzy Hash: d5f2d8f87c5289815c9c6a488775e9d8d2a03514ed5514292d5b17a1542ae99e
                                                    • Instruction Fuzzy Hash: 8C816E38B50506AFCB14CFADC484A6AB7B6FF89345B19816BD406DB361D731EC41CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DF1B98, Relevance: 2.0, APIs: 1, Instructions: 463COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea86f1af96a08b15ceaa7b0687440ab02da7fb5ba07ea2136f63631a5fb1a0a7
                                                    • Instruction ID: 6f34e29f7c3122a855525fef9979e12ab9b5836d957daa4160f2ef65d00fe6f2
                                                    • Opcode Fuzzy Hash: ea86f1af96a08b15ceaa7b0687440ab02da7fb5ba07ea2136f63631a5fb1a0a7
                                                    • Instruction Fuzzy Hash: 47F1B034B04205DFCB04AB70D858ABE7BA2EF85354F158A69E516AB3E1DF34DC09CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DF1FB0, Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3c4842c4c5244c9bdad80504ce6f9324194361c00ede438e7bea38aebeabd684
                                                    • Instruction ID: 6108a755473c4e1a29fab8577e5cea09ce1bceeed412416866742249861c736f
                                                    • Opcode Fuzzy Hash: 3c4842c4c5244c9bdad80504ce6f9324194361c00ede438e7bea38aebeabd684
                                                    • Instruction Fuzzy Hash: C2419571A002099FCB04EFB4D845AAEB7B5FF85344F158969E502AB791EF70E908CB70
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011D5184, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011D52A2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: c15e344eaa83b0ce506fcebc53a4229aa90d8ca09872ff813b7cb17b93dc8a54
                                                    • Instruction ID: a38354c5072cc119d63c86e47e50e3570eb20207da2c339d961a98f653719e26
                                                    • Opcode Fuzzy Hash: c15e344eaa83b0ce506fcebc53a4229aa90d8ca09872ff813b7cb17b93dc8a54
                                                    • Instruction Fuzzy Hash: 8651BDB5D00349DFDB18CFA9C984ADEBBB6BF48314F64812AE819AB210D7749845CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011D5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011D52A2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: b67e203c34541fcec8c43953d59f1f3afe1ecc4db341f2f47591cec3e1246a68
                                                    • Instruction ID: 7180c1c6aadd34bc1caf37366919a1c3e7bbf0d35e7c843ef1306fbb675d98fa
                                                    • Opcode Fuzzy Hash: b67e203c34541fcec8c43953d59f1f3afe1ecc4db341f2f47591cec3e1246a68
                                                    • Instruction Fuzzy Hash: 8941B0B1D10349DFDF14CF99C984ADEBBB6BF48314F64812AE919AB210D7749845CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DF5740, Relevance: 1.6, APIs: 1, Instructions: 112registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00DF5849
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID: QueryValue
                                                    • String ID:
                                                    • API String ID: 3660427363-0
                                                    • Opcode ID: 5971688f93ca9d227cd21d489b538b3c5a6263f1a6a95e5caff3f3624abb18c9
                                                    • Instruction ID: f17779eb8f77896e6241002873d92bc3875008c11d2fd461afcb6441c82322b5
                                                    • Opcode Fuzzy Hash: 5971688f93ca9d227cd21d489b538b3c5a6263f1a6a95e5caff3f3624abb18c9
                                                    • Instruction Fuzzy Hash: 154136B1E00248DFCB10CFA9D484AAEBBF5BF48344F59802AE908AB304D7709845CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DF5088, Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00DF518C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID: Open
                                                    • String ID:
                                                    • API String ID: 71445658-0
                                                    • Opcode ID: 494bb6f2bb54040086860760190665ef240cbe22e31fb1c322ff7337e6c886ae
                                                    • Instruction ID: b543cff2f72fcda7ff326c063147ff40ee62fc7e23f840fb092913847a7dec30
                                                    • Opcode Fuzzy Hash: 494bb6f2bb54040086860760190665ef240cbe22e31fb1c322ff7337e6c886ae
                                                    • Instruction Fuzzy Hash: FE4154B0A003499FDB14CF99C448A9EBBF5BF49304F29C169EA08AB345C7759845CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011D6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 011D7CF9
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: bd177c0db3fd903ef272a5d6c1eabb4a1e5ce9e91f879cb49cd9d3ecfafcd668
                                                    • Instruction ID: b58cf69b821156e195c298b36c55d5a5e8a57bb7554376b6e492753b8e7f3e03
                                                    • Opcode Fuzzy Hash: bd177c0db3fd903ef272a5d6c1eabb4a1e5ce9e91f879cb49cd9d3ecfafcd668
                                                    • Instruction Fuzzy Hash: F9415CB59007058FCB18CF59C488BAABBF5FF88318F258459E519A7361C734A841CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DF4368, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00DF5849
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID: QueryValue
                                                    • String ID:
                                                    • API String ID: 3660427363-0
                                                    • Opcode ID: 8c2aa51c0b5b749ca700fb612de0c6bdf92a6e6be1d0f02338335b293b7d82e7
                                                    • Instruction ID: 8a4572b72c067dfe61732c1ba8115e6d75d3648eaa1ce80fdca69109c1ee7aa4
                                                    • Opcode Fuzzy Hash: 8c2aa51c0b5b749ca700fb612de0c6bdf92a6e6be1d0f02338335b293b7d82e7
                                                    • Instruction Fuzzy Hash: DC31FFB1D006589FCB20CF9AD884AAEBBF5BF48354F55802AE919BB314D7709905CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DF435C, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00DF518C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID: Open
                                                    • String ID:
                                                    • API String ID: 71445658-0
                                                    • Opcode ID: 3dd33476183147efb31cc75ba59ca68b6531390688850f3b9d8c5dd723431512
                                                    • Instruction ID: 79c78ab289f5c1d738f900e75c2c415e78c5191a79425c29b7ecaf988458f3ff
                                                    • Opcode Fuzzy Hash: 3dd33476183147efb31cc75ba59ca68b6531390688850f3b9d8c5dd723431512
                                                    • Instruction Fuzzy Hash: C031F1B0D043489FDB10CF99C584A9EFFF5BB48304F29C16AEA09AB345C775A845CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011D6D72, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011D6DFF
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 4fbf36e6bc6b4ebbc537e5971d39330ffb7590e506ff1d67100364f63a12040c
                                                    • Instruction ID: 9556568e1ce3a79e0e1fa71cfe520a6afb258c1f559ae330a555fac19844d6eb
                                                    • Opcode Fuzzy Hash: 4fbf36e6bc6b4ebbc537e5971d39330ffb7590e506ff1d67100364f63a12040c
                                                    • Instruction Fuzzy Hash: C321E4B5900218DFDB10CFA9D584AEEBBF4FB48324F14852AE914A7310D378A954DFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011D6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011D6DFF
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 00efef31c2a09c54c88b0fd56b5895812dc9eb29a49f4f7282ffbfd1a62708ea
                                                    • Instruction ID: 732e343182dd5d2a06c17d7d99e73d7c060754da0751cc7958f4acf8f9e6a0ad
                                                    • Opcode Fuzzy Hash: 00efef31c2a09c54c88b0fd56b5895812dc9eb29a49f4f7282ffbfd1a62708ea
                                                    • Instruction Fuzzy Hash: A321C4B59002589FDB10CFAAD984ADEFBF8FB48324F14841AE954A7310D374A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06C7BAB8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,06C7BA99,00000800), ref: 06C7BB2A
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.477531375.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 6b2824d5504e98cf42813655d15bd2eb6f1bb038e61d7fbf5c2fdbfa7ab38c53
                                                    • Instruction ID: 28b5d51269fe78658fa63f8a333348e12eba28d03221b8bb498b1cb1076f3531
                                                    • Opcode Fuzzy Hash: 6b2824d5504e98cf42813655d15bd2eb6f1bb038e61d7fbf5c2fdbfa7ab38c53
                                                    • Instruction Fuzzy Hash: 8A1106B5C002098FCB10CF9AD484BDEFBF4BB48324F14842AE955A7600C375A945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06C7A874, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,06C7BA99,00000800), ref: 06C7BB2A
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.477531375.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 0d73f35c1bebb5b1bf97e9e3ebe6fbe35214ce59a981874412b16ccbc445400e
                                                    • Instruction ID: 7b33d50e20c2b83083aca0a9268e0b0fbc06bae6faed7be658f1a7185159816e
                                                    • Opcode Fuzzy Hash: 0d73f35c1bebb5b1bf97e9e3ebe6fbe35214ce59a981874412b16ccbc445400e
                                                    • Instruction Fuzzy Hash: 4F1106B59002089FCB10DFAAD444BDEFBF4EB48324F14842AE915A7200C374A945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011DC3B8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlEncodePointer.NTDLL(00000000), ref: 011DC432
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: EncodePointer
                                                    • String ID:
                                                    • API String ID: 2118026453-0
                                                    • Opcode ID: 64bd5ab8a916caee6e7eef38d35868ffa1da3e0616a0490bd8dc45f765bb1792
                                                    • Instruction ID: 5cc4c2126bd0aa4c0826ae6a4378d0534f09ab74156dcfb93e4579b6b5586b5e
                                                    • Opcode Fuzzy Hash: 64bd5ab8a916caee6e7eef38d35868ffa1da3e0616a0490bd8dc45f765bb1792
                                                    • Instruction Fuzzy Hash: 301159B19003068FDB20EFA9D5087AEBBF4FB48324F64892AD409A7641C739A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DF4A88, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467383771.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 1ba6123629b84b4e5b36775ca26e5d5ce958570c02f2a8bbcb4d6dca7cbe8319
                                                    • Instruction ID: 1d256dde4064e6604007d59e997352630d58a47f954384c5c9aae937af07a503
                                                    • Opcode Fuzzy Hash: 1ba6123629b84b4e5b36775ca26e5d5ce958570c02f2a8bbcb4d6dca7cbe8319
                                                    • Instruction Fuzzy Hash: E0112B30A01258DFCB14EFA5D488BAEBBB1FF85305F21D968D501AB350DB359889CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011D41AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 011D4216
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: d064050f202c68d4381cbcfef67233fdf412d57747d4d3835cd9579661d6c125
                                                    • Instruction ID: c2ba6a33fc20ffd882437bbea50dfbd17d2f110daf812928c254b876548364f2
                                                    • Opcode Fuzzy Hash: d064050f202c68d4381cbcfef67233fdf412d57747d4d3835cd9579661d6c125
                                                    • Instruction Fuzzy Hash: 171134B5C006498FCB14CFAAD484BDEFBF4EF48224F14852AD859B7600D378A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 011D2F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 011D4216
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.469920025.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 1a05ab838dce9d3131ce99a3c3a92547dea3bf8aeba9f27856300e05529bb0a7
                                                    • Instruction ID: 57eba05d56ee37f49cb8463860d91e7e5dea0a00d4e4f26d6b411c824cef5ae1
                                                    • Opcode Fuzzy Hash: 1a05ab838dce9d3131ce99a3c3a92547dea3bf8aeba9f27856300e05529bb0a7
                                                    • Instruction Fuzzy Hash: 701123B59002498FDB24DFAAD444BDEBBF4EB48224F11842AD529B7A00C374A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06C7F608, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 06C7F665
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.477531375.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 148234121f36a9a567328002837235e64ce6071498fcf77edada9af55995ba61
                                                    • Instruction ID: 1f2b49d6415809b23747aa7b0ffb53cebaa90c410551e264390c84fb161307cc
                                                    • Opcode Fuzzy Hash: 148234121f36a9a567328002837235e64ce6071498fcf77edada9af55995ba61
                                                    • Instruction Fuzzy Hash: 0F1106B58003488FCB20DFA9D585BDEFBF8EB48328F208419E559A7710C775A544CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06C7E668, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 06C7F665
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.477531375.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 92b628600171d918dbdf8531666759e2a235a7a287601916a8188ec213254392
                                                    • Instruction ID: e05d76c60bfe91443181ae6a1d4fe9522b42bc3b53ad565e3773aead5aaddd60
                                                    • Opcode Fuzzy Hash: 92b628600171d918dbdf8531666759e2a235a7a287601916a8188ec213254392
                                                    • Instruction Fuzzy Hash: 221103B59007488FCB20DFAAD588BDEBBF4EB48324F20845AE519A7710C375A944CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDF220, Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID: D0l
                                                    • API String ID: 0-3512419482
                                                    • Opcode ID: 3cce20ff75f4ace0eeda588dd6bf0c7c05848c4cd8be66776977f757717ac4e8
                                                    • Instruction ID: 8f730b082a7905b97ca2ccfc52b4d6065f0b7b5d185b49ad635d387ad284da80
                                                    • Opcode Fuzzy Hash: 3cce20ff75f4ace0eeda588dd6bf0c7c05848c4cd8be66776977f757717ac4e8
                                                    • Instruction Fuzzy Hash: D461D334B093848FD705E774D814AAA7BB69F8A314F1A84B6D546DB392DF34DC09C722
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDDF68, Relevance: .8, Instructions: 763COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f9cefaa635820f202c80e8379f85ee18a4916fb31611a1bf854f2f3695ec34d
                                                    • Instruction ID: 2bfec6e71683c538fb0ea4a53d6c3c7613e0bb02703180523ea7c444c2a3e7c3
                                                    • Opcode Fuzzy Hash: 7f9cefaa635820f202c80e8379f85ee18a4916fb31611a1bf854f2f3695ec34d
                                                    • Instruction Fuzzy Hash: 88429F307093858FD706AB74985866A7FB29F86304F1985EBD545DF3A3EA38CC0AC761
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD3E28, Relevance: .7, Instructions: 685COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cff1a507dd62c02ae0a9cbd24dbd15102aa049928ede482ce9221b58480cf6b9
                                                    • Instruction ID: e5738e87630baf5c8986b05623b71b84cd94ae0a8cc6e2fe7b3b73ef47c4c4b7
                                                    • Opcode Fuzzy Hash: cff1a507dd62c02ae0a9cbd24dbd15102aa049928ede482ce9221b58480cf6b9
                                                    • Instruction Fuzzy Hash: F952F234A041188FEB24EFA0C850B9EBBB6EF85304F1180ADD54AAB395DF359D45DF62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDBEF0, Relevance: .6, Instructions: 635COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 378f0e35645ec54189b365f147fd9168ede0d926cd586c0663daf548903b433f
                                                    • Instruction ID: e17c01d0ae83d798a3fe78c49c5c49bfb03117d683d16be0122889bc4ed093db
                                                    • Opcode Fuzzy Hash: 378f0e35645ec54189b365f147fd9168ede0d926cd586c0663daf548903b433f
                                                    • Instruction Fuzzy Hash: 60424D30A102198FCB24DFA8D584AADBBF2FF49314F15996AE40ADB351DB35EC45CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD4B68, Relevance: .4, Instructions: 406COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b475f12ba4e01239f7072c0c7cd1877400ee96e99124a69f32cae24290007bc
                                                    • Instruction ID: af83507795b52bc1dd29f73b682f8e260db0fec515ec6b6fdedd1fdfe4611082
                                                    • Opcode Fuzzy Hash: 9b475f12ba4e01239f7072c0c7cd1877400ee96e99124a69f32cae24290007bc
                                                    • Instruction Fuzzy Hash: CEF1FB75A016158FCB14DF6DD4849ADBBF6FF88311B1A80AAE519AB371DB30EC41CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDC5E8, Relevance: .4, Instructions: 381COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aeb010d78319b31496a1c4b3c6427e3bbaa001e39892d0c64ef0ff3bf71e40f0
                                                    • Instruction ID: ce844b042d0bb02e6b58ad954f04170f4362720a81c88350b89d2ed1e1911271
                                                    • Opcode Fuzzy Hash: aeb010d78319b31496a1c4b3c6427e3bbaa001e39892d0c64ef0ff3bf71e40f0
                                                    • Instruction Fuzzy Hash: 18E16930A102198FC724EBB8D548A6DBBF2FF88319F14A56AE41A9B350DB35DC45CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD16C8, Relevance: .3, Instructions: 338COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f34844929b97c68f812b3e9157013986977ae55b4973114d5c11167f8f49b56e
                                                    • Instruction ID: 86671984e824bcbce394dcfed3ea7acf18c1ca2e822182c2b873c34e9279f2c7
                                                    • Opcode Fuzzy Hash: f34844929b97c68f812b3e9157013986977ae55b4973114d5c11167f8f49b56e
                                                    • Instruction Fuzzy Hash: F5C1E239704211EFCB25AB24C854B6E77E6EF88345F18842AE906CB391CF34DC06CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD2D48, Relevance: .3, Instructions: 269COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f41b7af27f118b789fddfb6a194917671ef627531b9de98065af7228fd1fef8d
                                                    • Instruction ID: 4a724859d8e3db9de70e794284e14ac3f2559e8a8f908ea9e5653a03e153f0f2
                                                    • Opcode Fuzzy Hash: f41b7af27f118b789fddfb6a194917671ef627531b9de98065af7228fd1fef8d
                                                    • Instruction Fuzzy Hash: 9FC14E30A002099FCB14DFA9C884AAEBBF6BF58314F19855AF955EB361D730ED41CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDE4F9, Relevance: .2, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3bb079520243adc0f9fbdcc1d3dddbe2a8283af3af54736074738428f3ae18e
                                                    • Instruction ID: cf7803eb5c94388422f720ed7c1c21d2b771a2a63ce8680bcb239a4c17b17d66
                                                    • Opcode Fuzzy Hash: d3bb079520243adc0f9fbdcc1d3dddbe2a8283af3af54736074738428f3ae18e
                                                    • Instruction Fuzzy Hash: 28619430B006058FCB14AFB1E45826E77F2AFC4345B148969D806EB7A4EF75DD4ACBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD3AC8, Relevance: .2, Instructions: 176COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cba959c712e6f8292ea1c810223408d9b62b35d24566ad0233ffc1999e0704a0
                                                    • Instruction ID: 0e54e88a1287d524e5c4bd344b65ec15a1674286d1e4c116f52f326861b7b8ed
                                                    • Opcode Fuzzy Hash: cba959c712e6f8292ea1c810223408d9b62b35d24566ad0233ffc1999e0704a0
                                                    • Instruction Fuzzy Hash: C8517A313141118FCB14DF7DC88492ABBE9FF4975071A40ABE806DB362EB21DE01CB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDF5DF, Relevance: .2, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 974812fbc8c37e2c83d00e44d3b0b414986eba812df04f0dc9a9608d09e6f1c6
                                                    • Instruction ID: 0ef84572d85777d4c2414534a79449553e49da695cde6ca1c1d05171bfcc93ba
                                                    • Opcode Fuzzy Hash: 974812fbc8c37e2c83d00e44d3b0b414986eba812df04f0dc9a9608d09e6f1c6
                                                    • Instruction Fuzzy Hash: B851E431B006508FD7109B78C854BADB7E2AF89314F29807AD95ADFBA5DF35CC0687A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD54F1, Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43784364755f0a9c9d38d55ff8ead865ab27317c54ce20e818032815dbb4c77b
                                                    • Instruction ID: de854c2eacacb55e40e2b29343dc80ffa9aaef6fc09358bd2eb3c3072df604c8
                                                    • Opcode Fuzzy Hash: 43784364755f0a9c9d38d55ff8ead865ab27317c54ce20e818032815dbb4c77b
                                                    • Instruction Fuzzy Hash: EF41C631304654CFCB169F64F8146AA3BF3EF8A351B09849AE506CB3A1DB34DC15DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD38D8, Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7fd4fd988422785f1b50ae09598cd946ac050a968e81baffee525e09d27228e8
                                                    • Instruction ID: a1ac14a2d1b870f7f42b46972176caa5353cbf6287993886efb869bfa9f457da
                                                    • Opcode Fuzzy Hash: 7fd4fd988422785f1b50ae09598cd946ac050a968e81baffee525e09d27228e8
                                                    • Instruction Fuzzy Hash: 7A4159747001599FCB14DF29D898AAA7BB5FF88310F14006AF946CB3A0CB71DE40CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD14A8, Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 591384fdf50395171f61265f48be52da11588ceefb27c50f56531803bca180e4
                                                    • Instruction ID: 1186e350bc77c04be0a5aa45bb8d5dc5b2d75989aae6183b934c893888ad5c88
                                                    • Opcode Fuzzy Hash: 591384fdf50395171f61265f48be52da11588ceefb27c50f56531803bca180e4
                                                    • Instruction Fuzzy Hash: 9E41913570010AEFCF059F69E844AAE7BB6EF88300F188466F9168B351DB35CD65DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDBC40, Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d619077a0262ce7e1c4c99592e700481f114619b48d2747c99ce621b19845a99
                                                    • Instruction ID: 51ff2abee3b8700d0644f0924b7d7f74b66107917480b1f9b60bac0ce17d4958
                                                    • Opcode Fuzzy Hash: d619077a0262ce7e1c4c99592e700481f114619b48d2747c99ce621b19845a99
                                                    • Instruction Fuzzy Hash: C6318E31B04204CFCB05ABB5D4546AEBBF2EF89359B15846AD407EB7A1DF30DC498BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD53F8, Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0967b27bf3167a3b3ec2d95af0668d12b0c8c6710df9c58feba7613bceac32bc
                                                    • Instruction ID: c263ea6d5cc59c14ea821c324ceb9605bbecfe1dd7f800100794f4b2c69f4422
                                                    • Opcode Fuzzy Hash: 0967b27bf3167a3b3ec2d95af0668d12b0c8c6710df9c58feba7613bceac32bc
                                                    • Instruction Fuzzy Hash: C631EF31A016199FCB10DFA9E880AAFBBB8EF49311F14446BE915D7351D730AD45CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDBC50, Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a80acf09b5d2be8f8d50a5175b76889031d512845ab4cd699d6fe49acf651798
                                                    • Instruction ID: 3a53c0af6a42d9bb34a2798a309c68610857d13b7dd7f80fd3eb9e12ea12cfa0
                                                    • Opcode Fuzzy Hash: a80acf09b5d2be8f8d50a5175b76889031d512845ab4cd699d6fe49acf651798
                                                    • Instruction Fuzzy Hash: 5331C031B00204CFCB04ABB5D4146AEBBF3EF88259B15842AE407EB790DF30DC098BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD49AA, Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1fb15c563011768a9fb7ddc65d0face1f9cc3ae6febcb603f419da1ea9768d54
                                                    • Instruction ID: 163b2bec70fea123d330d2080bc25041c321b90f8e37554707610f044bc01ab1
                                                    • Opcode Fuzzy Hash: 1fb15c563011768a9fb7ddc65d0face1f9cc3ae6febcb603f419da1ea9768d54
                                                    • Instruction Fuzzy Hash: 8031BE35B002049FCB149B74D865AAEBBF6AB8C254F158469EA06EB381DF309D15CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCEB8, Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ded3e8833eb769d5a3290ad91ad2325f437386eb2e6295e041344432892fccd7
                                                    • Instruction ID: a8a72f064b2a698fa837da61593e822b75024509f662fb55239e093d70e0d4a2
                                                    • Opcode Fuzzy Hash: ded3e8833eb769d5a3290ad91ad2325f437386eb2e6295e041344432892fccd7
                                                    • Instruction Fuzzy Hash: C421D331B152014FDB2197B898507AA77E79FC9314F19987BE50AC7381EE24DC468362
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD4B58, Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bebd91ddc3a32498fb471cd6eb5d5bf115e99c8c2bbf15885cb9f6c656f2b62e
                                                    • Instruction ID: dde4af33c9fab0026fc298f33d722db2e9de4853354c79a37f9644ed1724660e
                                                    • Opcode Fuzzy Hash: bebd91ddc3a32498fb471cd6eb5d5bf115e99c8c2bbf15885cb9f6c656f2b62e
                                                    • Instruction Fuzzy Hash: 13317371A115158FCB04CF6CC8849AEBBF2FF85321B16815AE516EB3A1DB34DC46CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD3D18, Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5bcf89cf5bbaeb9cd1be87ec6a6c6fe7ed3a21b76529c52a53ca3bae2b7175c9
                                                    • Instruction ID: c8024c076730f79660086255f641bfe170fd7f514c43e863051ea16f14313ccc
                                                    • Opcode Fuzzy Hash: 5bcf89cf5bbaeb9cd1be87ec6a6c6fe7ed3a21b76529c52a53ca3bae2b7175c9
                                                    • Instruction Fuzzy Hash: 7221A1313042044BDB246626D89477EBB9B9FD4759F28803AE502CB7D4EE79CD42A7A3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD3D09, Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8b9b2daa2288d686472d39ff0649593ffdb69fb70aff010ca5629cb3f336eb1
                                                    • Instruction ID: ad11e541e74d137e3e2638adfd568d5f2734a8d8b1dd26119d26007f24d718f2
                                                    • Opcode Fuzzy Hash: f8b9b2daa2288d686472d39ff0649593ffdb69fb70aff010ca5629cb3f336eb1
                                                    • Instruction Fuzzy Hash: 6D21D4313002054BDB256725D89567DBB9B9FD4714B28403BE502CB7E0EF29CE41ABA3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD3C10, Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da227c145c636150b0e3d0f29ab46d6a68a35c235abb51bd198b49ec0d4770ec
                                                    • Instruction ID: 8ea4c61e692231bf9e9da16cc91e5686d9232a0296b788676f6b2811f206b4d5
                                                    • Opcode Fuzzy Hash: da227c145c636150b0e3d0f29ab46d6a68a35c235abb51bd198b49ec0d4770ec
                                                    • Instruction Fuzzy Hash: 8221A0713241559FC7208F6E9C40A6B7BA9AB55350B1A4027E842E7345DB31DE4097B2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCB58, Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc2e1b693a6c5894addb579ee52b5f026e0a7ce050cf2b4dcdb702bf4ed4dd77
                                                    • Instruction ID: d71786be16f7a1a6ad1a946dad7797dee27e1f6c7feaff54811273cf9995c7be
                                                    • Opcode Fuzzy Hash: cc2e1b693a6c5894addb579ee52b5f026e0a7ce050cf2b4dcdb702bf4ed4dd77
                                                    • Instruction Fuzzy Hash: 3821B235B142158FCB41EBBDD801AAE77F5EF89314B158066D109E7396EB34DC068BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCC78, Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de7300eeee5dfec14b2450435a1346f5c2ea3f6f460666824c32c5fad5ce99a1
                                                    • Instruction ID: 071e875a94e99e3a5b4cb14c7a8a318b327a482f19446c7eecc3a3f2467fe6b3
                                                    • Opcode Fuzzy Hash: de7300eeee5dfec14b2450435a1346f5c2ea3f6f460666824c32c5fad5ce99a1
                                                    • Instruction Fuzzy Hash: 5721B530B002158FC741EBB8D855AAE7BF1AF8A314B1584AAD509D7355EF34DC05CB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCD98, Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65e9fec30009708831ff5c32d35ed52ba7ba67bd268699bc8fd78f98fea9372f
                                                    • Instruction ID: c497a6030dbb3c6a96165e25707f218e6c4afc7d5aeacd54ef7570d0c0545e95
                                                    • Opcode Fuzzy Hash: 65e9fec30009708831ff5c32d35ed52ba7ba67bd268699bc8fd78f98fea9372f
                                                    • Instruction Fuzzy Hash: FC21DE31B142458FCB41EBB898549AE7BF2EF8D314B1584AAE149D7391EF349C06CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD19E0, Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ead59589a1582a3ab029ab71aeae495b3c77fbd97b168b20420fb85f87c04ffd
                                                    • Instruction ID: b9f7f71a90bf91d5d708788d7c7e7e0c3c5e38eddd077606657a26952ebe73c7
                                                    • Opcode Fuzzy Hash: ead59589a1582a3ab029ab71aeae495b3c77fbd97b168b20420fb85f87c04ffd
                                                    • Instruction Fuzzy Hash: 8E11E735702A219BCB199A29D49096EB7A6FFC47A1F18546AD406CB350DF30DC028790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDBB70, Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a81c05d00f2d57012d97f3d5d91f79f4fdfb076cfcea9eeea5fde8d6020d2600
                                                    • Instruction ID: 2505a7acca757b39b2f8fea5b170d9ec651186c7c2d467ed36be3b59ce828e74
                                                    • Opcode Fuzzy Hash: a81c05d00f2d57012d97f3d5d91f79f4fdfb076cfcea9eeea5fde8d6020d2600
                                                    • Instruction Fuzzy Hash: 0C115175A102188FCB40DFB8D8499AE7FF2FB8C3147108469E54AE3350EB3099068FA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD5448, Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1462dc4b20a8dc2bf4881535a9ee305488b9ccdaef7fa3c33e4431a461bc68f
                                                    • Instruction ID: 25d8a36954355045ee4cecbbb67b6174fda28c36ce5758a80d12b3411656cd8b
                                                    • Opcode Fuzzy Hash: d1462dc4b20a8dc2bf4881535a9ee305488b9ccdaef7fa3c33e4431a461bc68f
                                                    • Instruction Fuzzy Hash: 72118871E0162ADFCF01DFA8D8406AFBBF5AF48311F14842AE911E3341D3749A04CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCA88, Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 353ae13695f3697982eb47593452595990015b17996786b60de9e552847931e6
                                                    • Instruction ID: 5647616d28ae06d50ca68a90e8140bc171d3cf7b203bf7389f5cf85bd1eea063
                                                    • Opcode Fuzzy Hash: 353ae13695f3697982eb47593452595990015b17996786b60de9e552847931e6
                                                    • Instruction Fuzzy Hash: 4C113C31B102198F8B40EFBDD8459AEB7F5FB88714711856AE50AE7354EF309D068BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDBB80, Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2cccbde96727395cea8bbb14430202e11fb5369ce065162172b629eb6ceac9de
                                                    • Instruction ID: 56ee7723dcbf66d5d53514fe79017066d51a9fc4048833c5753c7f1e8b4ba1af
                                                    • Opcode Fuzzy Hash: 2cccbde96727395cea8bbb14430202e11fb5369ce065162172b629eb6ceac9de
                                                    • Instruction Fuzzy Hash: 61117075F102188F8B40EFB9D8499AE7BF2FB8C2147108429E50AE3344EF309D028FA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD162A, Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7251f34a7772e86f99774c7bb3d1c12ff160fb4c5b9c8ceda760b0754d836319
                                                    • Instruction ID: 5372252d16ba24b98567b96f802014ef8ddb7f985b1ca38dd6e91445d984f8c9
                                                    • Opcode Fuzzy Hash: 7251f34a7772e86f99774c7bb3d1c12ff160fb4c5b9c8ceda760b0754d836319
                                                    • Instruction Fuzzy Hash: 2301B532A00115ABCF06DE689810AAF3BE7EBC8790F18845AF505DB390DA70CD159790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCC07, Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56b9ca18ce5bdcd3e64035ec20df2ab8faf220ab31a4e458461bce9be9719201
                                                    • Instruction ID: 1919497251aec5e1e1da26b1e0acaf49ea5115d1ca5af2892f37fedf275a3a5c
                                                    • Opcode Fuzzy Hash: 56b9ca18ce5bdcd3e64035ec20df2ab8faf220ab31a4e458461bce9be9719201
                                                    • Instruction Fuzzy Hash: EEE0C935B201298B8B44EBB8D49599D73E1EB88329B1180A5E50AE7354EE3498058BB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCD27, Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c18a57c2ddffa4f703ae990665dca833108a175a1d7c652ac613d341c60d0684
                                                    • Instruction ID: 3d13adac40e410be2c523fb7ee9f6f6eb49852f6076fc48b66ae1297af785231
                                                    • Opcode Fuzzy Hash: c18a57c2ddffa4f703ae990665dca833108a175a1d7c652ac613d341c60d0684
                                                    • Instruction Fuzzy Hash: 85E0ED35B101198B8F04FBB8E8959DD77E1EF88368B1180A6E50AE7354EF349C05CB71
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCAE7, Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 357ae773fd716b1d1b26fc4790001f866699305c7c7ae9892f93e62c13f09ccd
                                                    • Instruction ID: 324195b7e35c5ac67ca7929b41cb3fa070ea23aa1476776c99195bbe335ae6fc
                                                    • Opcode Fuzzy Hash: 357ae773fd716b1d1b26fc4790001f866699305c7c7ae9892f93e62c13f09ccd
                                                    • Instruction Fuzzy Hash: 07E0C935B101198B8B44FBB8E49559D73E1EB88218B1180A6E50AE7354EE3498028B61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDCE47, Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 803b18700226309941607f10ee2b85e86e4aa02d033fb178146f247a4ff3a9b8
                                                    • Instruction ID: c6439f297f325936a573ef7b3d786852ae2c4b468a17d17274ed20eef70b4445
                                                    • Opcode Fuzzy Hash: 803b18700226309941607f10ee2b85e86e4aa02d033fb178146f247a4ff3a9b8
                                                    • Instruction Fuzzy Hash: FEE0C935B101198B8F44EBB8D49599D73E1EF88628B1180A5E50AE7354EF3498018BB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DDBBE1, Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d14bdee254c0b593189e947254d49e5d37c5441982913e6f03166a483613d1c
                                                    • Instruction ID: 823fe9e94672a21a10143fc7f26d04c39473237eb66dbb8a4f2fa37382c689a2
                                                    • Opcode Fuzzy Hash: 1d14bdee254c0b593189e947254d49e5d37c5441982913e6f03166a483613d1c
                                                    • Instruction Fuzzy Hash: 6EE0C939B1111D8F8B44EBB8E4995ED7BF2FB882297014065E50AE3354EF3498028BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD1D70, Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1947cb5ca68a5339b7953afe4b7535acaa65e8d42fa9575a7a77654013f1601d
                                                    • Instruction ID: 37b79a20162a195fc4955c84bc2bfba22fe1bb1d96b71d868c31a030f36dc338
                                                    • Opcode Fuzzy Hash: 1947cb5ca68a5339b7953afe4b7535acaa65e8d42fa9575a7a77654013f1601d
                                                    • Instruction Fuzzy Hash: E1D05E71429102CBC645FF74FA826587B5BAB80209B05CD95E0074FB3ADF744A699761
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD1D80, Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebf1bb044e88d42adb1da3a5f0d4971066af20cbb3422096a0fc153ef229e051
                                                    • Instruction ID: fb46381014223f2d91ff6a624b655747940d1f1bd3e659bd5ac86af54a751d3c
                                                    • Opcode Fuzzy Hash: ebf1bb044e88d42adb1da3a5f0d4971066af20cbb3422096a0fc153ef229e051
                                                    • Instruction Fuzzy Hash: 5FC0123145D6058AC640BF74E441519375B6680209340CDA1F1064B729AF705A599795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00DD5721, Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.467292829.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b93f6fe289abc3aada1b72403c884960fb7b4c5881bb6ed0976f02a5f1d02dc
                                                    • Instruction ID: 347936c929d091afdfa3bfcda61254d176d5e56d32cb17b7060189360a850b87
                                                    • Opcode Fuzzy Hash: 7b93f6fe289abc3aada1b72403c884960fb7b4c5881bb6ed0976f02a5f1d02dc
                                                    • Instruction Fuzzy Hash: 42C04C36F15518DB5F00DAC5F4400DCB3A5EB88679B20C057D5195274497315B259AA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions