Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ST_PLC URGENT ORDER 0223308737,pdf.exe

Overview

General Information

Sample Name:ST_PLC URGENT ORDER 0223308737,pdf.exe
Analysis ID:356838
MD5:49b05de1926be1ea5993874ad14c8d3a
SHA1:92caf8d81c1cddab1e799d730b6f31b8820bdef5
SHA256:f5a3420b7aa30f99c877d5a661625e37b79841f4bc99bd17a75d46eb86e4791d
Tags:exeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@endovision.xyzr)($czxJs0smtp.endovision.xyz"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256JoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@endovision.xyzr)($czxJs0smtp.endovision.xyz"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeReversingLabs: Detection: 31%
                      Machine Learning detection for sampleShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeJoe Sandbox ML: detected
                      Source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.190000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49726 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00BA1798
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00BA16F1

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 216.146.43.70 216.146.43.70
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49726 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509435893.00000000031FD000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB:l0A
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8ok
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240592808.0000000007CA5000.00000004.00000001.sdmpString found in binary or memory: http://en.wU
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.323215970.0000000007CA0000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.t
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241379781.0000000007CAA000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits)
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241183518.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comue
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmp, ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240840157.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240789901.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240451930.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnold
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240657129.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241159879.0000000007CDF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnva
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4okl
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509675871.000000000322C000.00000004.00000001.sdmp, ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509435893.00000000031FD000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: ST_PLC URGENT ORDER 0223308737,pdf.exe
                      PE file contains section with special charsShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name: qd?b#D
                      PE file has nameless sectionsShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA24F00_2_00BA24F0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA2C610_2_00BA2C61
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA19B70_2_00BA19B7
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA45180_2_00BA4518
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA05090_2_00BA0509
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BAA6F00_2_00BAA6F0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA36390_2_00BA3639
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA68B80_2_00BA68B8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA54A00_2_00BA54A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA54910_2_00BA5491
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA68C80_2_00BA68C8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA44310_2_00BA4431
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA244F0_2_00BA244F
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6D400_2_00BA6D40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA66B00_2_00BA66B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA66C00_2_00BA66C0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA43F90_2_00BA43F9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA43D50_2_00BA43D5
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6B300_2_00BA6B30
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6B400_2_00BA6B40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A32580_2_023A3258
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA2980_2_023AA298
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A0E500_2_023A0E50
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA5B00_2_023AA5B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A63D80_2_023A63D8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A28D80_2_023A28D8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AB9580_2_023AB958
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AB9490_2_023AB949
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A0E400_2_023A0E40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A16800_2_023A1680
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA5A00_2_023AA5A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B61300_2_023B6130
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B611F0_2_023B611F
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016281B09_2_016281B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016205829_2_01620582
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0162B2B09_2_0162B2B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_01627B899_2_01627B89
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016246309_2_01624630
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016210399_2_01621039
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016215529_2_01621552
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016259E09_2_016259E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06838E889_2_06838E88
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068386A09_2_068386A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06837EB89_2_06837EB8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068376D09_2_068376D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06836EE89_2_06836EE8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683B6109_2_0683B610
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683CE209_2_0683CE20
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683AE289_2_0683AE28
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683C6389_2_0683C638
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683A6409_2_0683A640
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06839E589_2_06839E58
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068396709_2_06839670
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068357809_2_06835780
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06834F989_2_06834F98
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068347B09_2_068347B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06833FC89_2_06833FC8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068337E09_2_068337E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683D7E09_2_0683D7E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832FF89_2_06832FF8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068367009_2_06836700
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06835F689_2_06835F68
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683BDF89_2_0683BDF8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683F0F89_2_0683F0F8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068300409_2_06830040
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E9809_2_0683E980
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E1D09_2_0683E1D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06836ED79_2_06836ED7
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068396129_2_06839612
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06838E299_2_06838E29
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068386409_2_06838640
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06837E5A9_2_06837E5A
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068376709_2_06837670
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068337819_2_06833781
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683D7D09_2_0683D7D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832FE89_2_06832FE8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06835F089_2_06835F08
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068357219_2_06835721
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06834F389_2_06834F38
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068367509_2_06836750
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068347509_2_06834750
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06833F689_2_06833F68
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683C5899_2_0683C589
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683BD999_2_0683BD99
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683B5B29_2_0683B5B2
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683CDC09_2_0683CDC0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683ADC99_2_0683ADC9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683A5E09_2_0683A5E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06839DF99_2_06839DF9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683F0989_2_0683F098
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E8D09_2_0683E8D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068300079_2_06830007
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E1809_2_0683E180
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.325052772.00000000026AB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGALJS2L7.exe4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000000.233357926.00000000001FE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324869005.0000000002651000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503626683.0000000000C6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503246705.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGALJS2L7.exe4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503854673.00000000010F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: Section: qd?b#D ZLIB complexity 1.00040910051
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ST_PLC URGENT ORDER 0223308737,pdf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe 'C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name: qd?b#D
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A9556 push A4E94827h; iretd 0_2_023A955D
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023BE39D push FFFFFF8Bh; iretd 0_2_023BE39F
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B6E4E push ebp; ret 0_2_023B6E58
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B6F19 push FFFFFF8Bh; iretd 0_2_023B6F1E
                      Source: initial sampleStatic PE information: section name: qd?b#D entropy: 7.99769775695
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94788728273
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe TID: 6292Thread sleep time: -45000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe TID: 6280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA1798 CheckRemoteDebuggerPresent,0_2_00BA1798
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832D50 LdrInitializeThunk,9_2_06832D50
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeMemory written: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}Jump to behavior
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection112Masquerading1OS Credential Dumping1Security Software Discovery11Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing4Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ST_PLC URGENT ORDER 0223308737,pdf.exe32%ReversingLabsWin32.Trojan.AgentTesla
                      ST_PLC URGENT ORDER 0223308737,pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File
                      0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.190000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      freegeoip.app0%VirustotalBrowse
                      checkip.dyndns.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.carterandcone.comits)0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.founder.com.cn/cnv-s0%Avira URL Cloudsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      http://checkip.dyndns.org/HB:l0A0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://en.wU0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.founder.com.cn/cnC0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://checkip.dyndns.org/0%Avira URL Cloudsafe
                      http://www.agfamonotype.t0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.founder.com.cn/cnn-u0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://checkip.dyndns.com0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      http://www.founder.com.cn/cnold0%Avira URL Cloudsafe
                      http://www.fontbureau.comue0%Avira URL Cloudsafe
                      http://checkip.dyndns.org0%Avira URL Cloudsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cnva0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      http://checkip.dyndns.orgD8ok0%Avira URL Cloudsafe
                      https://freegeoip.app4okl0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      freegeoip.app
                      		104.21.19.200
                      		truefalseunknown
                      checkip.dyndns.com
                      		216.146.43.70
                      		truefalseunknown
                      checkip.dyndns.org
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.fontbureau.com/designersGST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                          		high
                          http://www.carterandcone.comits)ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241379781.0000000007CAA000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designers/?ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                              		high
                              http://www.carterandcone.comvaST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241183518.0000000007CDE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnv-sST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240657129.0000000007CDE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://freegeoip.appST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://checkip.dyndns.org/HB:l0AST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://en.wUST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240592808.0000000007CA5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnCST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240451930.0000000007CDE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.agfamonotype.tST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.323215970.0000000007CA0000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comgritoST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnn-uST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://checkip.dyndns.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509435893.00000000031FD000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://freegeoip.appST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://freegeoip.app/xml/ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnoldST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comueST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://checkip.dyndns.orgST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://freegeoip.app/xml/84.17.52.38xST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://freegeoip.app/xml/LoadCountryNameClipboardST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240789901.0000000007CDE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmp, ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240840157.0000000007CDE000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.zhongyicts.com.cnvaST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241159879.0000000007CDF000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                                		high
                                                https://freegeoip.app/xml/84.17.52.38ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://checkip.dyndns.orgD8okST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://freegeoip.app4oklST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                216.146.43.70
                                                		unknownUnited States
                                                		33517DYNDNSUSfalse
                                                104.21.19.200
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:356838
                                                Start date:23.02.2021
                                                Start time:17:36:45
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 7m 42s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:26
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                                EGA Information:Failed
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 97%
                                                • Number of executed functions: 75
                                                • Number of non-executed functions: 16
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.42.151.234, 51.11.168.160, 40.88.32.150, 13.88.21.125, 104.43.139.144, 23.211.6.115, 23.218.208.56, 52.147.198.201, 2.20.142.210, 2.20.142.209, 8.253.207.120, 8.248.97.254, 8.238.85.126, 8.241.80.126, 8.248.115.254, 51.103.5.186, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                17:37:44API Interceptor1x Sleep call for process: ST_PLC URGENT ORDER 0223308737,pdf.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                216.146.43.70QUOTE.docGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                DHL Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                SecuriteInfo.com.Trojan.Inject4.6572.13919.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                SwiftCopyTT.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                purchase order.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                purchase order.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                Product Specification#742852.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                PO-SCHF-CCM_NFI_FSL-RED-20-01 001-A.PDF.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                DHL_Receipt Document_7368638172,pdf.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                pay09809988.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                Medisave Order 180827.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                New_Order.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                PO on demand 4000270283-B60.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                PO.xlsGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                Quotes.xlsmGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                Purchase Orde.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                DHL_FORM_16022021.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                checkip.dyndns.comP00760000.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                Order.docGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                QUOTE.docGet hashmaliciousBrowse
                                                • 216.146.43.70
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 216.146.43.70
                                                IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                v2.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 216.146.43.71
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.161.70
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                freegeoip.appP00760000.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Order.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                QUOTE.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                v2.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 172.67.188.154

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DYNDNSUSP00760000.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                Order.docGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                QUOTE.docGet hashmaliciousBrowse
                                                • 216.146.43.70
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 216.146.43.70
                                                IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                v2.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 216.146.43.71
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.161.70
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                CLOUDFLARENETUSSecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                                                • 172.67.199.58
                                                SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                                • 104.23.98.190
                                                1vuet1S3tI.exeGet hashmaliciousBrowse
                                                • 172.67.199.58
                                                P00760000.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Order.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                QUOTE.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                2070121_SN-WS.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                payment_advice.docGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                Purchase Order list.exeGet hashmaliciousBrowse
                                                • 104.21.23.61
                                                RkoKlvuLh6.exeGet hashmaliciousBrowse
                                                • 162.159.136.232
                                                i0fOtOV8v0.exeGet hashmaliciousBrowse
                                                • 104.23.99.190
                                                P3knxzE7wN.exeGet hashmaliciousBrowse
                                                • 162.159.128.233

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                P00760000.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                v2.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                telex transfer.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                GPP.exeGet hashmaliciousBrowse
                                                • 104.21.19.200

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ST_PLC URGENT ORDER 0223308737,pdf.exe.log
                                                Process:C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.355304211458859
                                                Encrypted:false
                                                SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                MD5:B666A4404B132B2BF6C04FBF848EB948
                                                SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.9094410868579645
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                • Win32 Executable (generic) a (10002005/4) 49.96%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                File size:451584
                                                MD5:49b05de1926be1ea5993874ad14c8d3a
                                                SHA1:92caf8d81c1cddab1e799d730b6f31b8820bdef5
                                                SHA256:f5a3420b7aa30f99c877d5a661625e37b79841f4bc99bd17a75d46eb86e4791d
                                                SHA512:03f249e4037b9ca54a278b2179bb41d13635c11e1c5ac9e553850963953eaae9e06e9d130424afd599792949f611491a6efa203d17f02c31add73695171247da
                                                SSDEEP:12288:205SiHsQ5WL82LHE4NnJRbDJ51n4OhNl2Eo6:2qHRWLjHNLX1VNk
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............0..l...t.......`...`... ....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00870c0808c44c00

                                                Static PE Info

                                                General

                                                Entrypoint:0x47600a
                                                Entrypoint Section:
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x6034FDA3 [Tue Feb 23 13:05:39 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00476000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x169880x53.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x48c8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x760000x8
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x160000x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                qd?b#D0x20000x126dc0x12800False1.00040910051data7.99769775695IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .text0x160000x569200x56a00False0.935518691378data7.94788728273IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x6e0000x48c80x4a00False0.250369510135data3.76229374867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x740000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                0x760000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x6e1300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
                                                RT_GROUP_ICON0x723580x14data
                                                RT_VERSION0x7236c0x36cdata
                                                RT_MANIFEST0x726d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright Neudesic 2017
                                                Assembly Version1.0.0.0
                                                InternalNameYGxk.exe
                                                FileVersion1.0.0.0
                                                CompanyNameNeudesic
                                                LegalTrademarks
                                                Comments
                                                ProductNameVectorBasedDrawing
                                                ProductVersion1.0.0.0
                                                FileDescriptionVectorBasedDrawing
                                                OriginalFilenameYGxk.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 23, 2021 17:38:20.893306971 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:20.966469049 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:20.966756105 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:20.967432022 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.040594101 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.041201115 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.041230917 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.041450977 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.044296980 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.117485046 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.237832069 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.310719967 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.311430931 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.311459064 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.387285948 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.387928963 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.387953997 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.388036966 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.388557911 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.461718082 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:24.081542015 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.122629881 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.122745037 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.197956085 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.243032932 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.243081093 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.243105888 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.243175030 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.256527901 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.297560930 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.299608946 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.412383080 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.453402996 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.574615955 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.678195000 CET49726443192.168.2.7104.21.19.200

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 23, 2021 17:37:28.765932083 CET5856253192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:28.840821981 CET53585628.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:28.899852037 CET5659053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:29.343880892 CET6050153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:29.392760992 CET53605018.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:29.893305063 CET5659053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:29.942009926 CET53565908.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:31.164011955 CET5377553192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:31.217535019 CET53537758.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:31.971314907 CET5183753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:32.021707058 CET53518378.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:33.292634010 CET5541153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:33.341347933 CET53554118.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:35.572705030 CET6366853192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:35.631392956 CET53636688.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:38.290208101 CET5464053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:38.338884115 CET53546408.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:39.756915092 CET5873953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:39.805471897 CET53587398.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:40.927508116 CET6033853192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:40.976974964 CET53603388.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:42.262983084 CET5871753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:42.311651945 CET53587178.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:43.446369886 CET5976253192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:43.495011091 CET53597628.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:44.831759930 CET5432953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:44.889130116 CET53543298.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:46.029300928 CET5805253192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:46.078305006 CET53580528.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:47.481002092 CET5400853192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:47.529805899 CET53540088.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:48.777369976 CET5945153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:48.828838110 CET53594518.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:49.919188976 CET5291453192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:49.968007088 CET53529148.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:52.318013906 CET6456953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:52.379735947 CET53645698.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:54.380870104 CET5281653192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:54.440943956 CET53528168.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:55.529963970 CET5078153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:55.581351995 CET53507818.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:57.132116079 CET5423053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:57.183653116 CET53542308.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:58.434371948 CET5491153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:58.483202934 CET53549118.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:01.095828056 CET4995853192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:01.144601107 CET53499588.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:02.097351074 CET5086053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:02.148971081 CET53508608.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:03.843122959 CET5045253192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:03.894375086 CET53504528.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:20.714721918 CET5973053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:20.763413906 CET53597308.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:20.802294970 CET5931053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:20.853791952 CET53593108.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:24.002441883 CET5191953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:24.029129028 CET6429653192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:24.061353922 CET53519198.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:24.078514099 CET53642968.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:24.195754051 CET5668053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:24.213799953 CET5882053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:24.258230925 CET53566808.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:24.266051054 CET53588208.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:25.708842039 CET6098353192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:25.760257959 CET53609838.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:38.326183081 CET4924753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:38.384884119 CET53492478.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:13.896173954 CET5228653192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:13.946187973 CET53522868.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:16.795876980 CET5606453192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:16.864464045 CET53560648.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:36.137834072 CET6374453192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:36.197748899 CET53637448.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:37.202028990 CET6145753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:37.267780066 CET53614578.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:37.856884956 CET5836753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:37.946634054 CET53583678.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:38.473057985 CET6059953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:38.526653051 CET5957153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:38.550015926 CET53605998.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:38.583594084 CET53595718.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:39.255326033 CET5268953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:39.312680006 CET53526898.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:39.935694933 CET5029053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:40.023211956 CET53502908.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:40.629940987 CET6042753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:40.689760923 CET53604278.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:41.575957060 CET5620953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:41.638529062 CET53562098.8.8.8192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Feb 23, 2021 17:38:20.714721918 CET192.168.2.78.8.8.80x9b1eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.802294970 CET192.168.2.78.8.8.80xfa3cStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:24.029129028 CET192.168.2.78.8.8.80xef52Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:24.078514099 CET8.8.8.8192.168.2.70xef52No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:24.078514099 CET8.8.8.8192.168.2.70xef52No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • checkip.dyndns.org

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.749723216.146.43.7080C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 23, 2021 17:38:20.967432022 CET971OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Feb 23, 2021 17:38:21.041201115 CET972INHTTP/1.1 200 OK
                                                Content-Type: text/html
                                                Server: DynDNS-CheckIP/1.0.1
                                                Connection: close
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Content-Length: 103
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.749724216.146.43.7080C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 23, 2021 17:38:21.311459064 CET976OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Feb 23, 2021 17:38:21.387928963 CET976INHTTP/1.1 200 OK
                                                Content-Type: text/html
                                                Server: DynDNS-CheckIP/1.0.1
                                                Connection: close
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Content-Length: 103
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                                                HTTPS Packets

                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                Feb 23, 2021 17:38:24.243105888 CET104.21.19.200443192.168.2.749726CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256 Parent PID: 5708

                                                General

                                                Start time:17:37:36
                                                Start date:23/02/2021
                                                Path:C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe'
                                                Imagebase:0x7fffae0c0000
                                                File size:451584 bytes
                                                MD5 hash:49B05DE1926BE1EA5993874AD14C8D3A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656 Parent PID: 6256

                                                General

                                                Start time:17:38:18
                                                Start date:23/02/2021
                                                Path:C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0x7fffae0c0000
                                                File size:451584 bytes
                                                MD5 hash:49B05DE1926BE1EA5993874AD14C8D3A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256 Parent PID: 5708 ST_PLC URGENT ORDER 0223308737,pdf.exeCOMMON

                                                  Executed Functions

                                                  Function 023A3258, Relevance: 8.8, Strings: 5, Instructions: 2596COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: <:l$<:l$D0:l$Xc:l$Xc:l
                                                  • API String ID: 0-1813723041
                                                  • Opcode ID: 2d10485a59ba838da654d69274d068d2e34334bcbec6de1e6b1af53b9bf50496
                                                  • Instruction ID: 640fc0937acc07a71afd2388c18b224e673f0fe5a21eed264e79de6e30a04f12
                                                  • Opcode Fuzzy Hash: 2d10485a59ba838da654d69274d068d2e34334bcbec6de1e6b1af53b9bf50496
                                                  • Instruction Fuzzy Hash: 1A43E474A00219CFCB24DF68C898A9DB7B2FF49314F5581A9E509AB3A5CB35ED81CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BAA6F0, Relevance: 7.8, Strings: 6, Instructions: 274COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: "z1$=Nl$x5l$x5l$p5J$p5J
                                                  • API String ID: 0-3442473214
                                                  • Opcode ID: a753bb608a7d0fbda76f8bb63a6c83c10ad7d900216f3b8094b6453e13c0d8cb
                                                  • Instruction ID: aa807929de787b8322219a0c8f602819963ba32747dc7442cbca0b1fb8a249f1
                                                  • Opcode Fuzzy Hash: a753bb608a7d0fbda76f8bb63a6c83c10ad7d900216f3b8094b6453e13c0d8cb
                                                  • Instruction Fuzzy Hash: 8DC13970D09218CFCB54DFA5C9806EEBBF2FB4A304F2098A9D40AAB254DB349D45CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA4518, Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (:NA$(:NA$D${MT
                                                  • API String ID: 0-3575772097
                                                  • Opcode ID: 02e97bcfb609c7d2be262d7cf0e66fafef7bd84984877700f716314c7e7018cf
                                                  • Instruction ID: de7dc82ff77d4914b25f4cab98c243a48ca65f47a705ca5d926b348c2ae1218a
                                                  • Opcode Fuzzy Hash: 02e97bcfb609c7d2be262d7cf0e66fafef7bd84984877700f716314c7e7018cf
                                                  • Instruction Fuzzy Hash: BCD13D70E0820ADFCB04CF95D5818AEFBF2FF8A340B249565D416AB224D774E942CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA43F9, Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: D${MT
                                                  • API String ID: 0-48045349
                                                  • Opcode ID: b2f79b355fd60c3c6d2a87173ae8d18728c7006a76ba2fe6cb418d40f013a7c4
                                                  • Instruction ID: 7b3b90c6ea96516f8a16c0cb836b97a6b5b124008159844269c08482fbffc0ae
                                                  • Opcode Fuzzy Hash: b2f79b355fd60c3c6d2a87173ae8d18728c7006a76ba2fe6cb418d40f013a7c4
                                                  • Instruction Fuzzy Hash: 81F16FB4E09246DFCB04CFA5D4814AEFBF2FF9A344B2585AAC015AB265D374D942CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA4431, Relevance: 2.9, Strings: 2, Instructions: 361COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: D${MT
                                                  • API String ID: 0-48045349
                                                  • Opcode ID: 3212fc17d1b54a21ad3c62688854a5488d7d289b8274633d9006aa40aa933222
                                                  • Instruction ID: 531e62a9ee47f3e68a2d0d5cb72e59318a0bdc8c4a23a586987b98ed1044c348
                                                  • Opcode Fuzzy Hash: 3212fc17d1b54a21ad3c62688854a5488d7d289b8274633d9006aa40aa933222
                                                  • Instruction Fuzzy Hash: EEF16DB4E09646DFCB04CFA5D4804AEFBF2FF9A344B2585AAC015AB265D374D942CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA43D5, Relevance: 2.9, Strings: 2, Instructions: 361COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: D${MT
                                                  • API String ID: 0-48045349
                                                  • Opcode ID: 6178c6c71838716ab19451e4e2af5b8dd75f5e08d4a05c5fa234a1180f379f26
                                                  • Instruction ID: e3d002bc18481e54a9681c3a18c905de23479b49bf23f8959f9df897372ef74b
                                                  • Opcode Fuzzy Hash: 6178c6c71838716ab19451e4e2af5b8dd75f5e08d4a05c5fa234a1180f379f26
                                                  • Instruction Fuzzy Hash: BFF16FB4E09246DFCB04CFA5D4804AEFBF2FF9A344B2585AAC415AB265D374D942CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA16F1, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00BA1834
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: 682fcbb3544a8a16205c370cbae1e21bdacf32f4bae92bc3ef20080a8812f97c
                                                  • Instruction ID: 9222c71500257e952dc949aecf596dddbdab77ab6ffee9449780c614456db24f
                                                  • Opcode Fuzzy Hash: 682fcbb3544a8a16205c370cbae1e21bdacf32f4bae92bc3ef20080a8812f97c
                                                  • Instruction Fuzzy Hash: 9D517CBAD092988FCB01CFA4D4546DDFFF1AF1A314F18849AD454B7346D3389A46CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AA298, Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \5l
                                                  • API String ID: 0-245949803
                                                  • Opcode ID: 115937fdc8538e16605fa1a0dfd38d563be8ebccfa19d3d83bdd8dd0fe03febb
                                                  • Instruction ID: 38bd8f02c9e90add6bdc81896177ce48c4e6495a484d19605a3a8307e3cc84f2
                                                  • Opcode Fuzzy Hash: 115937fdc8538e16605fa1a0dfd38d563be8ebccfa19d3d83bdd8dd0fe03febb
                                                  • Instruction Fuzzy Hash: DCE17B71E04219CFDF14CFA5C894BAEBBB6FF89304F1084AAD519AB251DB309A85CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA1798, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00BA1834
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: 024811f9d215802901e6cbc470ba5865fd51495e51ce510fd812653dcd5d39ba
                                                  • Instruction ID: 865916319ab23063e6d811c44dc097812bd215d8c9fd0dbfe8190828a1ebf4cc
                                                  • Opcode Fuzzy Hash: 024811f9d215802901e6cbc470ba5865fd51495e51ce510fd812653dcd5d39ba
                                                  • Instruction Fuzzy Hash: 2D41DDB5D05258DFCB00CFAAD484AEEFBF4BB0A310F14806AE414B7240D738AA45CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A0E50, Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ek(J
                                                  • API String ID: 0-2724920008
                                                  • Opcode ID: ab4ed21764f980b4d0dafe949bbcb675ef7df3650121b97336c46bc5c26a3a07
                                                  • Instruction ID: ac57af6ab444753c9fa431730928f5e46424d9d4194c059f62907d1b7691ef43
                                                  • Opcode Fuzzy Hash: ab4ed21764f980b4d0dafe949bbcb675ef7df3650121b97336c46bc5c26a3a07
                                                  • Instruction Fuzzy Hash: 77B11FB0D192199FCB18CFA5D990AEEFBB6FF89300F10812AD806BB255DB345A45CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A0E40, Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ek(J
                                                  • API String ID: 0-2724920008
                                                  • Opcode ID: 6da0231691fd680c9a871337690e2692450e809202930d414486b76c62b6c0d9
                                                  • Instruction ID: 9c5e711f22c7a722f7b55e64a7c5e6c62a134034f43acf7770c8254e8e1115f0
                                                  • Opcode Fuzzy Hash: 6da0231691fd680c9a871337690e2692450e809202930d414486b76c62b6c0d9
                                                  • Instruction Fuzzy Hash: 11B12DB4D192198FCB18CFA5D990BEEBBB6FF89300F10802AD806BB251DB345A45CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA244F, Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RR
                                                  • API String ID: 0-408905247
                                                  • Opcode ID: 37d4aa297dd311a35af05c2cb86d64a698298893ff9fc0064d5f2914b29d0da2
                                                  • Instruction ID: 8ac853b6cc5451b7b3396e0a4d483a655443f5430ec03ef87da4a8893951c302
                                                  • Opcode Fuzzy Hash: 37d4aa297dd311a35af05c2cb86d64a698298893ff9fc0064d5f2914b29d0da2
                                                  • Instruction Fuzzy Hash: 0FA179B4E052588FCB09CFE9C894A9DFBF2FF89300F24846AD805AB355D734A906CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA24F0, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RR
                                                  • API String ID: 0-408905247
                                                  • Opcode ID: e3159e98c5894e29a2f53b999a7607788d6726a6b62c2fb02fbcc78c33be6dd0
                                                  • Instruction ID: 333844d299a06638d7d2ed23b383941dcc1d026cbc24e02bca3810dc9e0e4c9b
                                                  • Opcode Fuzzy Hash: e3159e98c5894e29a2f53b999a7607788d6726a6b62c2fb02fbcc78c33be6dd0
                                                  • Instruction Fuzzy Hash: 8881C474E152188FDB08CFE9D984A9EFBF2FF89300F24852AD919AB354D7309946CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA0509, Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: <
                                                  • API String ID: 0-4251816714
                                                  • Opcode ID: 044321325c4f3411e2fd70ee46d8e54b9a073ec3f16471e2e6851277359dde1b
                                                  • Instruction ID: 1076bf630523924b1b812a60ce5a2f5eefa2eb57a6823326950b8bc017eb329e
                                                  • Opcode Fuzzy Hash: 044321325c4f3411e2fd70ee46d8e54b9a073ec3f16471e2e6851277359dde1b
                                                  • Instruction Fuzzy Hash: C061A675E056188FDB58CFAAC9406DDFBF2BF89300F14C1AAD519AB225EB305A85CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA3639, Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: kq
                                                  • API String ID: 0-2362554281
                                                  • Opcode ID: 16a3cc106da919012fad8ed1eca27fbf007220c53cee3ec14ee5d3373a6b7709
                                                  • Instruction ID: 02c03e27cbbbb759c0a2db796736a9c8fc35da1db1d99f4039a5c22b8fb171f2
                                                  • Opcode Fuzzy Hash: 16a3cc106da919012fad8ed1eca27fbf007220c53cee3ec14ee5d3373a6b7709
                                                  • Instruction Fuzzy Hash: 03410971E056588BDB18CFAAD94469EFBF2FFC9310F24C16AD409AB264DB345A45CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AA5B0, Relevance: .2, Instructions: 162COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b3f64e7df475b7dc79b35046683fce24ea00701b674eb9ae847cce9b5de36885
                                                  • Instruction ID: 6fa639cfa89d49d0b8fe38f57b97eba77129eb78b1572fe2204f70c92a29155a
                                                  • Opcode Fuzzy Hash: b3f64e7df475b7dc79b35046683fce24ea00701b674eb9ae847cce9b5de36885
                                                  • Instruction Fuzzy Hash: 8761BEB5E00219CFDB14CFA9D954AAEBBF6FF89300F10852AD819A7351DB315945CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AA5A0, Relevance: .2, Instructions: 162COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5d2e6530af3fd17f1f8a0bf59903effaef255e0547f57167353096013882730e
                                                  • Instruction ID: 4623c7ef06a32b75b2c07f0d32f8ae0f185e60605c37b5c0c29dd1eb61dc5de2
                                                  • Opcode Fuzzy Hash: 5d2e6530af3fd17f1f8a0bf59903effaef255e0547f57167353096013882730e
                                                  • Instruction Fuzzy Hash: 4961D1B5E00218CFDB14CFA9D994AAEBBF6FF89300F10852AD819AB391DB315945CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA2C61, Relevance: .1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 828b480151d95ebb23775ce6ff45fbff215819db8c807e96ff95acdba124f240
                                                  • Instruction ID: fc318ddaec688f297c42041c4dd380382243b5064d2c2a898a618d71c3241595
                                                  • Opcode Fuzzy Hash: 828b480151d95ebb23775ce6ff45fbff215819db8c807e96ff95acdba124f240
                                                  • Instruction Fuzzy Hash: 9B51FB70D092098FDB08CFAAD5456AEFBF2FF8A310F24C16AD419A7265E7349A41CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA19B7, Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f6086bed431010886f158935ac6837af346e369448ee1f873ceead7c4d6ec44b
                                                  • Instruction ID: a3555a8d0afa621dd910599e345cf20c224d88578cd5725015994be6e5ac6db9
                                                  • Opcode Fuzzy Hash: f6086bed431010886f158935ac6837af346e369448ee1f873ceead7c4d6ec44b
                                                  • Instruction Fuzzy Hash: 8121C775E056588BEB59CF6BDC406DEBBF3AFC9300F08C1BAC559A6224DB340A468F11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BE7228, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 04BE7288
                                                  • GetCurrentThread.KERNEL32 ref: 04BE72C5
                                                  • GetCurrentProcess.KERNEL32 ref: 04BE7302
                                                  • GetCurrentThreadId.KERNEL32 ref: 04BE735B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 1aab67dc611375e6159d50476291001c3d76f67d57435319004f4a187d5b2db0
                                                  • Instruction ID: 156e3eab4d0afbc922c34c284da5e73b572ab84086631b754f4fb065227bf254
                                                  • Opcode Fuzzy Hash: 1aab67dc611375e6159d50476291001c3d76f67d57435319004f4a187d5b2db0
                                                  • Instruction Fuzzy Hash: 055146B49006098FDB14CFAAD548BEEBBF0EF89314F248499E419B7250DB74A944CF66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A1D68, Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Xc:l$Xc:l$Xc:l$Xc:l
                                                  • API String ID: 0-2812814444
                                                  • Opcode ID: 57c84027ad928ebe4df4a1dbea03ec653379e9a3a15d1b8945232932177232d2
                                                  • Instruction ID: 5ebbf359dada6d60e6667e380205246c48fa3d6cccdc4ec64ad8816cdd84b86f
                                                  • Opcode Fuzzy Hash: 57c84027ad928ebe4df4a1dbea03ec653379e9a3a15d1b8945232932177232d2
                                                  • Instruction Fuzzy Hash: 57619035B002158FCB14CF68D464AAE7BF6EF89715F158069EA46AB3A0CB71DC12CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BEB9D8, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04BEBB99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 5fc58d35a61e7699fbccf90989d7a67f50a539fdcdf01602b349bb3a3b3dd7cc
                                                  • Instruction ID: f5ae20e2b6f4056a218ec50af981c0b94cf3bc8e53f5a7c6d703465de231c112
                                                  • Opcode Fuzzy Hash: 5fc58d35a61e7699fbccf90989d7a67f50a539fdcdf01602b349bb3a3b3dd7cc
                                                  • Instruction Fuzzy Hash: 2E717AB4D04218DFDF20CFA9D984ADEBBB1BF49304F1491AAE818B7211D734AA85CF55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA0321, Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OutputDebugStringW.KERNELBASE(?), ref: 00BAC772
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID: DebugOutputString
                                                  • String ID:
                                                  • API String ID: 1166629820-0
                                                  • Opcode ID: c0f4519b85e1b583c02501f57568cd289c633bd817e0455778a46bfbd7f19589
                                                  • Instruction ID: cc0eda0fcc68f4bd85fbc1743b36487484bfba3da0a2bbd164aea83e352ff741
                                                  • Opcode Fuzzy Hash: c0f4519b85e1b583c02501f57568cd289c633bd817e0455778a46bfbd7f19589
                                                  • Instruction Fuzzy Hash: C9512C7080E3889FCB02DBA9D8956DDBFF0AF07214F1984DBD481AB263D7345809CB66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BE0610, Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 04BE0701
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 215bcc70621d0700d374d0088b1f62b1660288066fdda365b9ac5b436e4c8dc0
                                                  • Instruction ID: 8fe8653200202a1049cea06d3baa7e8d48983b5c3f6bb92203f736aa68659e08
                                                  • Opcode Fuzzy Hash: 215bcc70621d0700d374d0088b1f62b1660288066fdda365b9ac5b436e4c8dc0
                                                  • Instruction Fuzzy Hash: EA51E471D0422C8FDB20DFA5C880BDEBBB5AF49304F1580A9D549BB250DB756A89CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BE7448, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04BE751B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: fb9fdc725042223bbfd89c42daa40f15b98bfc840d52cf2f907a7f184833e63b
                                                  • Instruction ID: 1f828563cbe62c0b41023fc876c74e20230ba4a53b41cfc5297627aee35a07bf
                                                  • Opcode Fuzzy Hash: fb9fdc725042223bbfd89c42daa40f15b98bfc840d52cf2f907a7f184833e63b
                                                  • Instruction Fuzzy Hash: AE4164B9D052589FCB00CFA9D884AEEBBF5BB59310F14906AE818BB210D334AA45CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BE7450, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04BE751B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 6e914f9a2b0de4fecaf54dcb1d8d66f49138dae0b0dfba950b096b9fcac6cede
                                                  • Instruction ID: 1ef2beedb95e6a49faf250e951262b2bd3740f216b3e1c6f7a075730f5ed8504
                                                  • Opcode Fuzzy Hash: 6e914f9a2b0de4fecaf54dcb1d8d66f49138dae0b0dfba950b096b9fcac6cede
                                                  • Instruction Fuzzy Hash: F54155B9D002589FCB00CFA9D984AEEBBF4BB49310F14906AE918BB210D335A945CF55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BE55D8, Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(?,?,?), ref: 04BE568A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 32e6cf6cd9d8e8ab1565517b5059c2cb6f4a41c2d400ba1abc89eeaa045418eb
                                                  • Instruction ID: fd98e9cec727f3abe474da43b327865a8df5744e86d6c69513a2047d6cca0b6b
                                                  • Opcode Fuzzy Hash: 32e6cf6cd9d8e8ab1565517b5059c2cb6f4a41c2d400ba1abc89eeaa045418eb
                                                  • Instruction Fuzzy Hash: F44188B8D01258DFDB10CFAAD484AEEFBF0BB49314F14906AE814B7210D334A946CF55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BE9AFC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04BEE201
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 5625363c203cba93d5127402404f7dd31bd4cd99d5caeb4a717be30a83bb4e70
                                                  • Instruction ID: 4928cf80374b2af501982f1fffc2a210a15307c380bb1ede9c3a38e1929faf4e
                                                  • Opcode Fuzzy Hash: 5625363c203cba93d5127402404f7dd31bd4cd99d5caeb4a717be30a83bb4e70
                                                  • Instruction Fuzzy Hash: 374138B5A00205CFDB14CF9AC488AAABBF5FF88314F24C499E519A7321D375E841CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BE4ED8, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(?,?,?), ref: 04BE568A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 1945e3a3a5f0d64ec6b4492b221dd43777ebcc8b96560df73cd95bd8bfeef06a
                                                  • Instruction ID: 0d2b003b38fcb0c7eec0e45e524468c3ecf8a20a345ee709c817590bc7f745ac
                                                  • Opcode Fuzzy Hash: 1945e3a3a5f0d64ec6b4492b221dd43777ebcc8b96560df73cd95bd8bfeef06a
                                                  • Instruction Fuzzy Hash: 2A4197B4D05258DFCB10CFAAD484AAEFBF1FB49314F14906AE814B7220D334A945CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA18B1, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00BA195F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 9e07c45755c6091d3852368a888ccf55ebd4743e73952a3aafd995a9e371acf8
                                                  • Instruction ID: dcb62359fa747cb996563d340ae3a3b8e7bfa67f9a71e1c511a1a6948318c933
                                                  • Opcode Fuzzy Hash: 9e07c45755c6091d3852368a888ccf55ebd4743e73952a3aafd995a9e371acf8
                                                  • Instruction Fuzzy Hash: D431A8B9D052589FCB10CFA9E484AEEFBF0AB4A310F14906AE815B7210C374A946CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA18B8, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00BA195F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 3e941ef04431afccd6144c8235ff2477a5e30dd6c446c098c103ca3fc2b302b0
                                                  • Instruction ID: aacb14ff87d84da0fdcfb16dc4638b4c56b7597427a3d8121532b864c4619314
                                                  • Opcode Fuzzy Hash: 3e941ef04431afccd6144c8235ff2477a5e30dd6c446c098c103ca3fc2b302b0
                                                  • Instruction Fuzzy Hash: F43198B9D042589FCF10CFAAE484AEEFBF0BB4A310F14902AE814B7210D774A945CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA9318, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00BA93BF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 3809b197a8095f8b5a293575a1f38c709480b40d16113a0f102eb961cac676d9
                                                  • Instruction ID: f2844b2b4c0cd06a3de6b798d95f220352d35b71cae2ddb9201c4b02827e6eae
                                                  • Opcode Fuzzy Hash: 3809b197a8095f8b5a293575a1f38c709480b40d16113a0f102eb961cac676d9
                                                  • Instruction Fuzzy Hash: F63199B9D042589FCF10CFAAE484AEEFBF0BB09310F14902AE814B7210D774A945CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA03B4, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OutputDebugStringW.KERNELBASE(?), ref: 00BAC772
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID: DebugOutputString
                                                  • String ID:
                                                  • API String ID: 1166629820-0
                                                  • Opcode ID: 94cb94c78090e389a0cca524e9eed735b3cc57c90106ee213d4611a07293f885
                                                  • Instruction ID: 337f85c306a9d6731d5f7325b467bafbab2453845bb2dda76a276edb60a3a0b8
                                                  • Opcode Fuzzy Hash: 94cb94c78090e389a0cca524e9eed735b3cc57c90106ee213d4611a07293f885
                                                  • Instruction Fuzzy Hash: 5C31BCB8D042089FCB10CFAAD584ADEFBF5EB4A314F14806AE818B7310D774A941CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04BE52D0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(?), ref: 04BE5362
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.330412887.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 7f65f54248cd74b654e34b7260653a0500eb946a9bcf9fe3c440329f3d4c7e1b
                                                  • Instruction ID: f08ae3c587d1c1cc9e5e1eb90631eb9f49e4320950d2766ee8d41a91113329d3
                                                  • Opcode Fuzzy Hash: 7f65f54248cd74b654e34b7260653a0500eb946a9bcf9fe3c440329f3d4c7e1b
                                                  • Instruction Fuzzy Hash: 8831A9B4D002099FCB14CFAAD484AEEFBF5EB49314F14806AE819B7310D374A945CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A9BD8, Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: <:l
                                                  • API String ID: 0-2177169150
                                                  • Opcode ID: 2ed2535fddc8608f8872a15a89fd68719299df1c8123f88946e595c126db568a
                                                  • Instruction ID: c1e4234e09d8ccbc3496d2cc509150151c32026d646872b528c6eaa2503db9d6
                                                  • Opcode Fuzzy Hash: 2ed2535fddc8608f8872a15a89fd68719299df1c8123f88946e595c126db568a
                                                  • Instruction Fuzzy Hash: 9DC16B35B001089FCB14DFA8D964BAE7BB6EF89719F118029E506EB3A1DB31DC51CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AD673, Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: GtY
                                                  • API String ID: 0-3630738772
                                                  • Opcode ID: a31629227741fe3af2a3812a71edb1faf38ee5055d14f0adf837899cb39e347f
                                                  • Instruction ID: b1c4f697792d8732ca03c17dcf5d584c998e2c5e1eca7970e66780732ae71c93
                                                  • Opcode Fuzzy Hash: a31629227741fe3af2a3812a71edb1faf38ee5055d14f0adf837899cb39e347f
                                                  • Instruction Fuzzy Hash: EB51A0B0D05359DFCB08CFA5C9506AEBBB5EF8A300F0485AAC419E7A61D7389A04CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AD6D0, Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: GtY
                                                  • API String ID: 0-3630738772
                                                  • Opcode ID: a381ec5123c4bbac5eded77945985f665eb30f8857c6cf0bd615399f2f491faa
                                                  • Instruction ID: 3b15c659e0c5fdd3cfb4d478f2523c3f0de9351eb46d54f317b48c5e1edc4556
                                                  • Opcode Fuzzy Hash: a381ec5123c4bbac5eded77945985f665eb30f8857c6cf0bd615399f2f491faa
                                                  • Instruction Fuzzy Hash: F74135B0D0621EDFCB08CFA6D5506AEFBB5FB89300F14946AC429B7A95D3389601CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AA850, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $,:l
                                                  • API String ID: 0-1592699899
                                                  • Opcode ID: 7b6b697f6b83e6422f951f714e053c46ff3b67dd1c1b2e463d9daffef8a304f2
                                                  • Instruction ID: 55209857878639677f61c261b47a3089ae72a8c5fdf776aaa99f452defe9ed17
                                                  • Opcode Fuzzy Hash: 7b6b697f6b83e6422f951f714e053c46ff3b67dd1c1b2e463d9daffef8a304f2
                                                  • Instruction Fuzzy Hash: 3C3144B1D09209DFCB05DFA9D8516EEBFB5FB4A300F1085AAC818A7352E7344A46CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A7A44, Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: q8lz
                                                  • API String ID: 0-2703691844
                                                  • Opcode ID: b34d2fec1892ac35596562cd596da09728792b1cf4927a4e1e265516e4d8166f
                                                  • Instruction ID: 79167b280b2b1878bb21672bb11d36414878f47f70bde71fe7a3348ed9891b11
                                                  • Opcode Fuzzy Hash: b34d2fec1892ac35596562cd596da09728792b1cf4927a4e1e265516e4d8166f
                                                  • Instruction Fuzzy Hash: 52E0DF7080C7828ACB21CB248C101A6FEB4AB03220F0457E4C056761E4D3318A828F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A24F0, Relevance: .3, Instructions: 295COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2bb4a0ce1975252c5de65dfd4c3cd65c2c8c74bf20350bd45e5adc9df066c650
                                                  • Instruction ID: a8577c2427512c3c0f4ca742dc42994738440339167f1318a04cdbeef1a1e5a0
                                                  • Opcode Fuzzy Hash: 2bb4a0ce1975252c5de65dfd4c3cd65c2c8c74bf20350bd45e5adc9df066c650
                                                  • Instruction Fuzzy Hash: BEB1CA35A002199FCF05DF64D864AAEBBAAEF88304F158029ED06DB390DB35DD52CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A2181, Relevance: .1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 89253dcfec71796b658b7032430f88c54da82ff4303921360ad424de14d91799
                                                  • Instruction ID: 4c188a2726aed38d942da24ae1478337d10924637b8442d8f66e6dab99024262
                                                  • Opcode Fuzzy Hash: 89253dcfec71796b658b7032430f88c54da82ff4303921360ad424de14d91799
                                                  • Instruction Fuzzy Hash: FC41E475B4421A8FCB25CF68C8A4A6FBBB6EF86314B05447ADD05CB395D730D842CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A262F, Relevance: .1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1df492ead3703edfa5ec106ca0b23967ab90cdbd45e777b04cc454cfc33c1332
                                                  • Instruction ID: c819ed53bba3fa46d40921737000d9bc4b8d54f6bb40d0b5b7f25dc86a325d7b
                                                  • Opcode Fuzzy Hash: 1df492ead3703edfa5ec106ca0b23967ab90cdbd45e777b04cc454cfc33c1332
                                                  • Instruction Fuzzy Hash: 34417875A001199FCF05DF64D854AAE7BAAFF88318F148428ED029B394DB36DD62CBD0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ACD3EC, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324128002.0000000000ACD000.00000040.00000001.sdmp, Offset: 00ACD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ab0e1abc51a75de94c490b09c34e402a49a87ef242f88e70ccb274bc464e06d
                                                  • Instruction ID: 0910d4c271dbd06967895a5e780579a45b12895022732faac85d07a33fd5782e
                                                  • Opcode Fuzzy Hash: 8ab0e1abc51a75de94c490b09c34e402a49a87ef242f88e70ccb274bc464e06d
                                                  • Instruction Fuzzy Hash: 9A2125B1504240EFCB08DF10DAC0F26BBA5FB94324F25C57DEA094B246C33AE856C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ACD4D8, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324128002.0000000000ACD000.00000040.00000001.sdmp, Offset: 00ACD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 41e9409117188b3b96136a5ae0ee1437573087d77952d0e2cd14110dd3b1f9d8
                                                  • Instruction ID: fbef233941c6517d6a26e5caf16bd4e9adfe325676ef47cb492ddd0275ed0677
                                                  • Opcode Fuzzy Hash: 41e9409117188b3b96136a5ae0ee1437573087d77952d0e2cd14110dd3b1f9d8
                                                  • Instruction Fuzzy Hash: C12100B5504248EFCB04CF10D9C0F26BBA5FB88328F25857DE9095B256C33AD856CAA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A1AF8, Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37cf5c1c66dfe0cf31368da90c8a729ceb0af48f396a137062eb6b612ff402d8
                                                  • Instruction ID: 75c67bd527918f6d73bda539999d6349f7b8e1277f10b7c51c49a4526a3bab3a
                                                  • Opcode Fuzzy Hash: 37cf5c1c66dfe0cf31368da90c8a729ceb0af48f396a137062eb6b612ff402d8
                                                  • Instruction Fuzzy Hash: ED212974B44108AFDB449B74DC25BBE7BBAEF86304F10C465E645DB180DB319E128B91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ADD01C, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324159821.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ba4cd48baa1d5663eabd85c97dc9ecc9a973745d0141b0c591f30819690f77f
                                                  • Instruction ID: 12f71b08741ea16c9561088cf64a3531e9116bd946f585150c88f0477cc83fa6
                                                  • Opcode Fuzzy Hash: 5ba4cd48baa1d5663eabd85c97dc9ecc9a973745d0141b0c591f30819690f77f
                                                  • Instruction Fuzzy Hash: 2921B0B5508240DFDB14DF24D9C4B26BBA5FBC8318F24C96AD94B4B346C33AD847CAA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ADD1D4, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324159821.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 740ba35f9950c003adcfbbd70af084381519f516f38734a0ca96d4a55b6c5007
                                                  • Instruction ID: 6fbb1dea4edec6684c391b777b9ccc624e0915a09545a4d372d833363232e164
                                                  • Opcode Fuzzy Hash: 740ba35f9950c003adcfbbd70af084381519f516f38734a0ca96d4a55b6c5007
                                                  • Instruction Fuzzy Hash: 6721F5B1508240EFDB05DF10D9C0B66BBA5FB84318F24CA6EE94A5B346C33AD846CA61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AAA71, Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dad2cc2944222aaba745c5461802c7cd1a822f8043a1e7a03d1719f93120bb9d
                                                  • Instruction ID: 10257b8552804953621293207f7ba1b82d134ab4725e0b4a5acbadb47dca8405
                                                  • Opcode Fuzzy Hash: dad2cc2944222aaba745c5461802c7cd1a822f8043a1e7a03d1719f93120bb9d
                                                  • Instruction Fuzzy Hash: F311CEB6B003465B8B25DBB988505BFBBF7EFC52603194A39D414D7240EF308D0187A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A1D58, Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 42c18bd86e78481e1ae39ce2515e6ec94f583b60f1ad88b75a0c9ddca9a709a4
                                                  • Instruction ID: 3c6c575fd1fe0ee487be11e4686214fc1cc6faf32889bd01d00778d00e91d959
                                                  • Opcode Fuzzy Hash: 42c18bd86e78481e1ae39ce2515e6ec94f583b60f1ad88b75a0c9ddca9a709a4
                                                  • Instruction Fuzzy Hash: C4216A35A00208DFCF00DFA4D954AEEBBB2FF88314F148469E942B7290C7719D55CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ADD005, Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324159821.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 74b87ea1facdedde37724771470ed3f4cdb9d127bc2ac78f0f76f92d50873147
                                                  • Instruction ID: bc3164cf7ebdbb52f272c6793b7ce426e16e5769e67e4d6329ec5cd274eedecf
                                                  • Opcode Fuzzy Hash: 74b87ea1facdedde37724771470ed3f4cdb9d127bc2ac78f0f76f92d50873147
                                                  • Instruction Fuzzy Hash: 6E2153755093C08FCB16CF24D594715BF71EB86314F28C5DAD84A8B657C33A984ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AA9A0, Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 861d67e19941c327cf97419f58d55977270c1d043ff5da5fb36ca001424a1db1
                                                  • Instruction ID: 5d9165d10f4dc31e245148c7e9dfa8d002d012578b9ff9a631ab649004be7778
                                                  • Opcode Fuzzy Hash: 861d67e19941c327cf97419f58d55977270c1d043ff5da5fb36ca001424a1db1
                                                  • Instruction Fuzzy Hash: A3115E32B002198B8B14EBB9D9115EEB7F6EF88355B104139C909E7344EB369D19CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ACD3E7, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324128002.0000000000ACD000.00000040.00000001.sdmp, Offset: 00ACD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 581d3b3358337309ade3142078bfb267f9f907e33d8482532e12e50e88a4464a
                                                  • Instruction ID: e8104fd7dfe84773d11b7006dcf4abdeae56f39f900615d0c914899f65a5239b
                                                  • Opcode Fuzzy Hash: 581d3b3358337309ade3142078bfb267f9f907e33d8482532e12e50e88a4464a
                                                  • Instruction Fuzzy Hash: B1117F76504280DFCB15CF10D6C4B16BF72FB94324F24C6ADD9494B656C33AE856CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ACD4D3, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324128002.0000000000ACD000.00000040.00000001.sdmp, Offset: 00ACD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 581d3b3358337309ade3142078bfb267f9f907e33d8482532e12e50e88a4464a
                                                  • Instruction ID: e607b6a39a90b90ceec8982a31a33ff0866ff981b32561a421eb320651cae11f
                                                  • Opcode Fuzzy Hash: 581d3b3358337309ade3142078bfb267f9f907e33d8482532e12e50e88a4464a
                                                  • Instruction Fuzzy Hash: 9F11D376504284DFCB11CF10D9C4F16BF71FB94324F2486ADD8090B656C33AD856CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ADD1CF, Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324159821.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c19c31f9b10c7c869c5534b3fef1598a2b78d89a48e0543528d321a1d48354f
                                                  • Instruction ID: 974c76563ea1c6fa35eca109ece2857ba9c1f3aace4d0ad9a3da90bf182471dd
                                                  • Opcode Fuzzy Hash: 2c19c31f9b10c7c869c5534b3fef1598a2b78d89a48e0543528d321a1d48354f
                                                  • Instruction Fuzzy Hash: 69118B75904280DFCB11CF10D5C4B55BBB1FB85324F28C6AAD84A4B756C33AD84ACB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AA828, Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 191274077b54007a448f8efe3756697643f9d5424128daf4d468e616e9280cbb
                                                  • Instruction ID: 5cd9c391d3b87ab1bc72fecdd516e7537593e04b933e589c26a36c22412b0b64
                                                  • Opcode Fuzzy Hash: 191274077b54007a448f8efe3756697643f9d5424128daf4d468e616e9280cbb
                                                  • Instruction Fuzzy Hash: C6F0A0B1D9A2489FC7218BA4E0617ADBF7CEB5B308F1448A6C84892686D7310953CED5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023ACC1F, Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3826530a7c5387d8babcd1074a33c6c19ef97ab7deca2a906eb91cb3b11935af
                                                  • Instruction ID: 335d2c1554a2a8d458eecdeff78a2d6599e374b9f59e22ed693e1010b7fcd21b
                                                  • Opcode Fuzzy Hash: 3826530a7c5387d8babcd1074a33c6c19ef97ab7deca2a906eb91cb3b11935af
                                                  • Instruction Fuzzy Hash: 9EE0DFB76056106BCA22112A68116E677AACFE6615F0201BBE80487681CB2BA94383E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A00C8, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be6f5ee64da79e6066ba107dc6c5e1d41be9a4f938c294d66921ffa8d2c01a29
                                                  • Instruction ID: a2f63a97f7a4deb67c84a77813a9fd1273ed761cc7634d5e30eb694e14a7599d
                                                  • Opcode Fuzzy Hash: be6f5ee64da79e6066ba107dc6c5e1d41be9a4f938c294d66921ffa8d2c01a29
                                                  • Instruction Fuzzy Hash: D3E068353006601FC32A5A16E9207DB37F6DFCA762F0140AAF681C7762CB548D0B8FA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A799C, Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f68cd407037335b5d8d1c03c9fbc303e4ff1d17d08bdf102564e475b2a31a208
                                                  • Instruction ID: 24f87b6ec4cda87aca9a268335bed3ad38f8fc5da4380977af9e8c3a72a65f1b
                                                  • Opcode Fuzzy Hash: f68cd407037335b5d8d1c03c9fbc303e4ff1d17d08bdf102564e475b2a31a208
                                                  • Instruction Fuzzy Hash: AAF0F4B0E041288FDF259F60CC50B99B6FAEB88304F5080E9A60D67342D7315F859F48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A00D8, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 528b57629da68c130d1fb9978a3f2d9ddf4f19cc066dd72392d0521da88cade4
                                                  • Instruction ID: 414f15c41980c62b26c4453d9b3f1070a85d4a32581c843f952c46374510b196
                                                  • Opcode Fuzzy Hash: 528b57629da68c130d1fb9978a3f2d9ddf4f19cc066dd72392d0521da88cade4
                                                  • Instruction Fuzzy Hash: E3E0C2303106244FC729AE1AD51479A73EAEF48760F014069FA46C7750CFA5DC438F81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023ACC30, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e42191ef528043482e50d3892493063f745396d23321c7b855ddd95e2573d9f0
                                                  • Instruction ID: 617bd7e44573d994f4f5868d0384241d19d197a222fda3f811e095972795c97b
                                                  • Opcode Fuzzy Hash: e42191ef528043482e50d3892493063f745396d23321c7b855ddd95e2573d9f0
                                                  • Instruction Fuzzy Hash: 05D02E32300210A7C225210AA010A6BB2DECBC6A11F01417FE1094B380CE7AE8028390
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AA968, Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d5d4c88a945808a56e9a0029dca3a41c8572075883d21be751a01216c8133648
                                                  • Instruction ID: 8ac1a21e1a3dd61ffaf7ef2e76f7d5b27cc12bf62e979b5eecf52caa7ad60929
                                                  • Opcode Fuzzy Hash: d5d4c88a945808a56e9a0029dca3a41c8572075883d21be751a01216c8133648
                                                  • Instruction Fuzzy Hash: 67D0127600A2486FCB63A7108D74DC77FB6BF1A7507A68193D4808B032C515851EDF63
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A3238, Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0f44567aa5f7d49d655a0164b35716938cdfee751b1f9be780a570c08ccfeb8d
                                                  • Instruction ID: 208dd6a011e2731776ffe5923ccb43e6fe2f3777969887f0f612fc0fae107e9d
                                                  • Opcode Fuzzy Hash: 0f44567aa5f7d49d655a0164b35716938cdfee751b1f9be780a570c08ccfeb8d
                                                  • Instruction Fuzzy Hash: 14C09B7B014104AE5651F750C594CA97BF6FF5A340741DC66B24485431D725C824DB63
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00BA68B8, Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: {nFy${nFy${nFy
                                                  • API String ID: 0-1708351726
                                                  • Opcode ID: 4f4379a82f421817f3a063d200ac7602c083e02183444b0317f566b80d7ac289
                                                  • Instruction ID: acf19315422c31db5de8fa91a647415a80bfb94defa5200f818724e28aae2bb0
                                                  • Opcode Fuzzy Hash: 4f4379a82f421817f3a063d200ac7602c083e02183444b0317f566b80d7ac289
                                                  • Instruction Fuzzy Hash: 1961EAB4E196098FCB04CFAAD5805DEFBF2FF8A310F28946AD445B7224D7349942CB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA68C8, Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: {nFy${nFy${nFy
                                                  • API String ID: 0-1708351726
                                                  • Opcode ID: 258101cbc7a1cc95af66c9bac6495ceddbb064023634e1aebe124bd3b8c8233b
                                                  • Instruction ID: 76dc4ee73b9100964dd04821911ad6dc53c2869385bcc9a36913105a3a57c989
                                                  • Opcode Fuzzy Hash: 258101cbc7a1cc95af66c9bac6495ceddbb064023634e1aebe124bd3b8c8233b
                                                  • Instruction Fuzzy Hash: C571E6B4E156198FCB04CFAAD5805DEFBF2FB8A310F28946AD405B7324D7349A42CB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA6D40, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: S_IR
                                                  • API String ID: 0-1002623561
                                                  • Opcode ID: ea1fb8b64b7633170cebb4ba90c8f7e80e08b7e01a7a882b00650ec7c58e17d7
                                                  • Instruction ID: b53934deea3b7efcd3980b511bef2c6793e149abcc98e699f65026b0c4a09f84
                                                  • Opcode Fuzzy Hash: ea1fb8b64b7633170cebb4ba90c8f7e80e08b7e01a7a882b00650ec7c58e17d7
                                                  • Instruction Fuzzy Hash: 69415C71E056188BDB28CF6B8D4579EFBF3AFC9300F14C1BAD54DAA265DB300A468E11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A28D8, Relevance: .5, Instructions: 453COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fdc76c9114da5cc84bb7c38cff63d2a037747f75caca1665af39d3fa67c0f8b9
                                                  • Instruction ID: e9b4840e7539bac3dd1f62b3d922963c403d90f57c1f2b7e985bfce35f09c870
                                                  • Opcode Fuzzy Hash: fdc76c9114da5cc84bb7c38cff63d2a037747f75caca1665af39d3fa67c0f8b9
                                                  • Instruction Fuzzy Hash: 36026E35A005158FCB58DF69C4A8A6EB7B2FF89714B16816AEC16DB375CB31EC01CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A1680, Relevance: .3, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 169efbe4a4fca4228dc6aa6c8d90d997184abd499ad079cc8bf691dc00bae055
                                                  • Instruction ID: bb8fe976b3b7a212b21968be285e10a9fcb7940542a8bdf0c64a0c59419e9a4a
                                                  • Opcode Fuzzy Hash: 169efbe4a4fca4228dc6aa6c8d90d997184abd499ad079cc8bf691dc00bae055
                                                  • Instruction Fuzzy Hash: 88A147B4E052099FDB04CFA9C980AEEBBB6EF89304F148129E449FB355D7359941CB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA54A0, Relevance: .2, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9efe176a08ab5ad6882312ef8aa775b73a7e1731041728b123b3b1fdf049d0d1
                                                  • Instruction ID: 3c261502e056d59de4d7e75d4a8188bdfe2894805fea0229153f86bf98e4c743
                                                  • Opcode Fuzzy Hash: 9efe176a08ab5ad6882312ef8aa775b73a7e1731041728b123b3b1fdf049d0d1
                                                  • Instruction Fuzzy Hash: 7381EE74E14619DFCB14CF99C5809AEFBF2FB89310F2495AAE415AB324D734AA42CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA5491, Relevance: .2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 066353dc044e837d65f533019e52802d4453636d8600a8316f1f779e0030d767
                                                  • Instruction ID: 26e733171eedfd6d9a65c1b938c45f31a2cfecab89ca1b1c3b5af8f0d6685bcf
                                                  • Opcode Fuzzy Hash: 066353dc044e837d65f533019e52802d4453636d8600a8316f1f779e0030d767
                                                  • Instruction Fuzzy Hash: 9F81F274E156199FCB14CF99C5849AEFBF2FF89310B2485AAE415AB324D334AA42CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023B6130, Relevance: .2, Instructions: 182COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324481792.00000000023B0000.00000040.00000001.sdmp, Offset: 023B0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65f676bf802aba3af8be2c6112c40ab277ee0b1c60a239fe614ca3bbe2ea26fa
                                                  • Instruction ID: c808cbea352600b34f034b69cf5871da93767ff96b870d1fa707afcdc7e36c81
                                                  • Opcode Fuzzy Hash: 65f676bf802aba3af8be2c6112c40ab277ee0b1c60a239fe614ca3bbe2ea26fa
                                                  • Instruction Fuzzy Hash: 43815D70E152198FDB14CFA9C981AEEFBB6BF88304F24816AD509A7356D7309A41CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023B611F, Relevance: .2, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324481792.00000000023B0000.00000040.00000001.sdmp, Offset: 023B0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a08479790f6877dce183126740f2fd790821249677c036c2c300ddfabe84eb08
                                                  • Instruction ID: ffe162b5bba38fcba0209ffd0ac9f5a14af665eb558231e5c40a218cb1d1aa21
                                                  • Opcode Fuzzy Hash: a08479790f6877dce183126740f2fd790821249677c036c2c300ddfabe84eb08
                                                  • Instruction Fuzzy Hash: 31719070E152198FDB14CFA9C981AEEFBF6BF89304F24816AD508A7316D7309A41CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AB949, Relevance: .2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 631d2d66787c98153fc3008993753b4ea6204c189970e740641f3755d70abcb7
                                                  • Instruction ID: 66d833e5f19795fa5bd1bba74a72eee73cd4c90735743041341bbbc8be45a04e
                                                  • Opcode Fuzzy Hash: 631d2d66787c98153fc3008993753b4ea6204c189970e740641f3755d70abcb7
                                                  • Instruction Fuzzy Hash: CB5192B0D542188FCB44DFB6E981ADEBBF6EF85304F04C939D004AB365DB3959058B81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023AB958, Relevance: .1, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 02fe06137811bb2aab60490550f74631418c04d6f362fcb6f7b7c71cbb08f7a9
                                                  • Instruction ID: e24a69abad012086e9fa53488d607884de646a6b8f5eae7a2c3526f080f9db07
                                                  • Opcode Fuzzy Hash: 02fe06137811bb2aab60490550f74631418c04d6f362fcb6f7b7c71cbb08f7a9
                                                  • Instruction Fuzzy Hash: 565192B0D542188FCB44DFB6D581ADEBBF6EF85304F04C929D004AB365DB3959058B81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA6B30, Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce2359acc8f631e4b4de3827808aa24cec075381987981210abbb4dfb0ee5f5e
                                                  • Instruction ID: 01a541da6ae337fe5419cb44599bc37cf19d0670a5a60c53f66d5cdb76c3ad3b
                                                  • Opcode Fuzzy Hash: ce2359acc8f631e4b4de3827808aa24cec075381987981210abbb4dfb0ee5f5e
                                                  • Instruction Fuzzy Hash: 285100B1E0560A9FCB44CFA5C5815EEFBF2FF89310F24D46AC405E7254E7345A418BA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA6B40, Relevance: .1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c0bf2e00b0c6df9b8488e967dd2a7d406166aed0261e1fe131cf10df507c6544
                                                  • Instruction ID: c19473ca810a474daced465b4c45fa9c2ef01e84c157c989906769693bee2e69
                                                  • Opcode Fuzzy Hash: c0bf2e00b0c6df9b8488e967dd2a7d406166aed0261e1fe131cf10df507c6544
                                                  • Instruction Fuzzy Hash: 735109B1E0520ADFCB04CFA6C5815AEFBF2FB89300F24D46AC505E7254E7349A418BA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA66B0, Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a25517a532fff7e4b4713653069eb0c658c0aac9662ddba27dcaf0160f7d266
                                                  • Instruction ID: 22a66ef3180026d7d80529457e6cc35ce6662cd8afbe79da1128653cf29488e4
                                                  • Opcode Fuzzy Hash: 7a25517a532fff7e4b4713653069eb0c658c0aac9662ddba27dcaf0160f7d266
                                                  • Instruction Fuzzy Hash: 5E410BB0D1560A9FCB04CFAAC8815EEFBF2FF89304F28C06AC515A7254E7349A418F94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA66C0, Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324285936.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1771888e96e5129e9376a71ba4f41de75d184af4103f34c858d9e2d3485e4fbc
                                                  • Instruction ID: 1650f50829e96c3b595e5bf5d55ac5d79b3a6350226522f4532ea021f96f0788
                                                  • Opcode Fuzzy Hash: 1771888e96e5129e9376a71ba4f41de75d184af4103f34c858d9e2d3485e4fbc
                                                  • Instruction Fuzzy Hash: 8741E9B0E1561A9BCB44CFAAC5805AEFBF2FF89304F24C06AC515B7254D7349A418F94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023A63D8, Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.324458673.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59e3d3e29079c254ca6f0de162c13e863e052629d5479edff7298a3ef5c703cf
                                                  • Instruction ID: dbd381f4ce40d149a5e11cb9340d9d444325b1bba9c28228be5d74d5c8c6c394
                                                  • Opcode Fuzzy Hash: 59e3d3e29079c254ca6f0de162c13e863e052629d5479edff7298a3ef5c703cf
                                                  • Instruction Fuzzy Hash: E44165B1E056188BEB18CFABC9543CEFAF3AFC9304F14C1BAC508AA259DB7505468F40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656 Parent PID: 6256 ST_PLC URGENT ORDER 0223308737,pdf.exeCOMMON

                                                  Executed Functions

                                                  Function 06830040, Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1879libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.514718598.0000000006830000.00000040.00000001.sdmp, Offset: 06830000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: Y
                                                  • API String ID: 2994545307-3233089245
                                                  • Opcode ID: e14488db04f655c0bdda8a5e917e97e0b43526172a279f701d688db152dc9f13
                                                  • Instruction ID: a0698a67a789f974feac324d19545602967f8b1e75ba82cb6a6bb6edce9fe7c3
                                                  • Opcode Fuzzy Hash: e14488db04f655c0bdda8a5e917e97e0b43526172a279f701d688db152dc9f13
                                                  • Instruction Fuzzy Hash: 9F132970D10B19CECB54EF68C894AADF7B1BF99304F15C699D558AB211EB70AAC4CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06830007, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 789libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.514718598.0000000006830000.00000040.00000001.sdmp, Offset: 06830000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: Y
                                                  • API String ID: 2994545307-3233089245
                                                  • Opcode ID: fb198d590b7fb8a15453b3999913dbac9cdad172221fb7a7c5c92afd0a0891a0
                                                  • Instruction ID: da9c4caff0fbb34e675c9febee871d085130210315a434e97669a3141c7c7ceb
                                                  • Opcode Fuzzy Hash: fb198d590b7fb8a15453b3999913dbac9cdad172221fb7a7c5c92afd0a0891a0
                                                  • Instruction Fuzzy Hash: DB820570D00719CFCB64DFA9C894A9DF7B1BF89304F14869AD558AB251EB30AAC5CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06832D50, Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.514718598.0000000006830000.00000040.00000001.sdmp, Offset: 06830000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2a981739f559d96038ba5814e0c73fbedebdde58fdba9cf34e4d44a9ff375f36
                                                  • Instruction ID: 509f5d82817ed22968c04a7bb578477d8f52762d55e7361af14d7f17b04985dc
                                                  • Opcode Fuzzy Hash: 2a981739f559d96038ba5814e0c73fbedebdde58fdba9cf34e4d44a9ff375f36
                                                  • Instruction Fuzzy Hash: 98315674A002199FDB04CFA4D5C0ADDFBB2BF98314F25C299E504AB295C735AA85CFD4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0162DD41, Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.507425482.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 90fc4b5047535d648548721c3a27a53b18137c3879dbf9412ad37ad6ba73e848
                                                  • Instruction ID: 725a01a0e7f7ab63dfc5c2f625608612e3fb64e448578b3adf2a83571557ca8e
                                                  • Opcode Fuzzy Hash: 90fc4b5047535d648548721c3a27a53b18137c3879dbf9412ad37ad6ba73e848
                                                  • Instruction Fuzzy Hash: F0D13434620619EFD728AB74E86E7697FB2AF84306F149638E416972A0CF759C81CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06832968, Relevance: 1.8, APIs: 1, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.514718598.0000000006830000.00000040.00000001.sdmp, Offset: 06830000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec76cb5acdb9ab602d2845ab40d2dd62408551283d3de35e5805457462cefe20
                                                  • Instruction ID: 47208784056f10db3b1bddf61ba7ad647795ba4d634d6dabd303cb7b54c39465
                                                  • Opcode Fuzzy Hash: ec76cb5acdb9ab602d2845ab40d2dd62408551283d3de35e5805457462cefe20
                                                  • Instruction Fuzzy Hash: 7A913431E04228DFCB15CF68D894BEDBBF1AF85314F15816AE954EB3A1CB349945CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0162E138, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 0162E14B
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.507425482.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 27916c3e437fb0a26156031b5edfd539422c04f5f05972a1d5d67d4eafc6bfa0
                                                  • Instruction ID: d5e38653f420e7d644cc732c5681e29d986339f741ab0d47d27bd4ee836f89d3
                                                  • Opcode Fuzzy Hash: 27916c3e437fb0a26156031b5edfd539422c04f5f05972a1d5d67d4eafc6bfa0
                                                  • Instruction Fuzzy Hash: 7831D9391B111AEFCB146B70FE2F12C7FB2BF5460B710A625F90680664CFB11892CB19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0162E12F, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 0162E14B
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.507425482.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 2c1693292e4efdd6c2e1c2d29c623be7fdd2157f978df657619d67f1ca4ff1e8
                                                  • Instruction ID: 44684f442398dd64fe9dedbc99fe675c86532e8dae5065ffca7c5e4db7bae3ad
                                                  • Opcode Fuzzy Hash: 2c1693292e4efdd6c2e1c2d29c623be7fdd2157f978df657619d67f1ca4ff1e8
                                                  • Instruction Fuzzy Hash: BE31BA391B111AEFCB146B70FE2F13C7E72BF5460BB14A625F50690664CFB11882DB19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06832D40, Relevance: 1.5, APIs: 1, Instructions: 40libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.514718598.0000000006830000.00000040.00000001.sdmp, Offset: 06830000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1166b22aae625478b816f71e3f37959500aa3223bc46b438300c72c2a54dd70b
                                                  • Instruction ID: 854404ea3f3d96df560a974d1bfe4f21df417275d6d1f51766a14bd3767c2e1b
                                                  • Opcode Fuzzy Hash: 1166b22aae625478b816f71e3f37959500aa3223bc46b438300c72c2a54dd70b
                                                  • Instruction Fuzzy Hash: A0018BB5E00218AFDF04CF98E985ACDBBB2FF94310F14816AE500B7314C7719A44CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06832CEB, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.514718598.0000000006830000.00000040.00000001.sdmp, Offset: 06830000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 536dec34d21a55a11ae91e9a936cabf47ff3e85af794b760e8bf4a7da9231764
                                                  • Instruction ID: 14de1509dba9538fb54315fe6cb5ab126c1e730378fc61cf767d45dd52ba5a71
                                                  • Opcode Fuzzy Hash: 536dec34d21a55a11ae91e9a936cabf47ff3e85af794b760e8bf4a7da9231764
                                                  • Instruction Fuzzy Hash: 50016DB1E012189FDB44CF98E484ACDFBB2FF98314F2081AAE900BB255C7715944CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0115D4F0, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.503992262.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b7fd64726b9242470e6d471c040147b80c071aab1dac16e8d704ced0f4f79188
                                                  • Instruction ID: 9de7e2ab8a6dde87c910fd5e8e46d476fc87eb8eb5c897e918d3f1341c18c918
                                                  • Opcode Fuzzy Hash: b7fd64726b9242470e6d471c040147b80c071aab1dac16e8d704ced0f4f79188
                                                  • Instruction Fuzzy Hash: 332103B1514240DFDF49DF54E9C0B26BFB5FB8832CF248669ED054A216C33AD856CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116D030, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.504084219.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c558b636c42117436c20ae5236cb9eaccc952b03b398f8934096784ef38c30a0
                                                  • Instruction ID: f5830e0c38e2d3e133d8d2e75e2ddef31b8a6891e913737f1d1e18fa54c86682
                                                  • Opcode Fuzzy Hash: c558b636c42117436c20ae5236cb9eaccc952b03b398f8934096784ef38c30a0
                                                  • Instruction Fuzzy Hash: 862103B1608240DFCF19DF54E9C0B26BBA9EB84258F24C569D9894B246C33BD856CA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116D006, Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.504084219.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 96130e51a7ad5498053054f954f2e7a806c515c957af12ebd253017dda877167
                                                  • Instruction ID: 76d8ef93d2aedcfa5c5d55495957ec228db7a4f62eeba384c6e8f39c112b715a
                                                  • Opcode Fuzzy Hash: 96130e51a7ad5498053054f954f2e7a806c515c957af12ebd253017dda877167
                                                  • Instruction Fuzzy Hash: A321687550D3C08FDB07CB24D890B15BF71AB46214F2981DBD8888B2A3C37A881ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0115D4EB, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.503992262.000000000115D000.00000040.00000001.sdmp, Offset: 0115D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 581d3b3358337309ade3142078bfb267f9f907e33d8482532e12e50e88a4464a
                                                  • Instruction ID: d2af96bd4ee85b3e7ff8ff7e7f7ae0d254242c1dbd7db1129a56348581a7e987
                                                  • Opcode Fuzzy Hash: 581d3b3358337309ade3142078bfb267f9f907e33d8482532e12e50e88a4464a
                                                  • Instruction Fuzzy Hash: 9C11AC76404280CFDF16CF54E9C4B16BF71FB88328F2886A9DC054B656C33AD45ACBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions