Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Purchase List.exe

Overview

General Information

Sample Name:Purchase List.exe
Analysis ID:358181
MD5:e4cf61f665f6162275d903ae9704ab4b
SHA1:fae35b4255e8d21822800c06b6bebc467730e422
SHA256:902e08a184d5a096905397464b5add020e541af01a856e33935763ceb42f1205
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Purchase List.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\Purchase List.exe' MD5: E4CF61F665F6162275D903AE9704AB4B)
    • schtasks.exe (PID: 3476 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Purchase List.exe (PID: 5744 cmdline: C:\Users\user\Desktop\Purchase List.exe MD5: E4CF61F665F6162275D903AE9704AB4B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "admin@estagold.com.myestagold202584mail.estagold.com.mybmathena@accesesdata.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.651016305.00000000038E0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Purchase List.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Purchase List.exe.3930820.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Purchase List.exe.26a1d80.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.Purchase List.exe.3930820.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Scheduled temp file as task from temp locationShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase List.exe' , ParentImage: C:\Users\user\Desktop\Purchase List.exe, ParentProcessId: 7028, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp', ProcessId: 3476

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0.2.Purchase List.exe.3930820.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "admin@estagold.com.myestagold202584mail.estagold.com.mybmathena@accesesdata.com"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\fjbxiXhL.exeReversingLabs: Detection: 34%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: Purchase List.exeVirustotal: Detection: 39%Perma Link
                    Source: Purchase List.exeReversingLabs: Detection: 34%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\fjbxiXhL.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: Purchase List.exeJoe Sandbox ML: detected
                    Source: 4.2.Purchase List.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                    Compliance:

                    barindex
                    Uses 32bit PE filesShow sources
                    Source: Purchase List.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                    Source: Purchase List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49768 -> 103.6.196.156:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49769 -> 103.6.196.156:587
                    Source: global trafficTCP traffic: 192.168.2.4:49768 -> 103.6.196.156:587
                    Source: Joe Sandbox ViewIP Address: 103.6.196.156 103.6.196.156
                    Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                    Source: global trafficTCP traffic: 192.168.2.4:49768 -> 103.6.196.156:587
                    Source: unknownDNS traffic detected: queries for: mail.estagold.com.my
                    Source: Purchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Purchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: Purchase List.exe, 00000004.00000002.902125065.0000000003200000.00000004.00000001.sdmpString found in binary or memory: http://estagold.com.my
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Purchase List.exeString found in binary or memory: http://inchat.kro.kr
                    Source: Purchase List.exe, 00000004.00000002.902125065.0000000003200000.00000004.00000001.sdmpString found in binary or memory: http://mail.estagold.com.my
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Purchase List.exeString found in binary or memory: http://schooldb.inchat.kro.kr/
                    Source: Purchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: http://vHuoap.com
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Purchase List.exe, 00000000.00000003.648626317.000000000567A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
                    Source: Purchase List.exe, 00000000.00000003.648626317.000000000567A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Purchase List.exe, 00000000.00000003.636133849.0000000005681000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog
                    Source: Purchase List.exe, 00000000.00000003.636133849.0000000005681000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnsha
                    Source: Purchase List.exeString found in binary or memory: http://www.gagalive.kr/livechat1.swf?chatroom=inchat-
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Purchase List.exe, 00000000.00000003.637415865.000000000567C000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000003.637686010.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Purchase List.exe, 00000000.00000003.637415865.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
                    Source: Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-czL
                    Source: Purchase List.exe, 00000000.00000003.637415865.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                    Source: Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                    Source: Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                    Source: Purchase List.exe, 00000000.00000003.637508439.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                    Source: Purchase List.exe, 00000000.00000003.637894062.000000000567A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0d
                    Source: Purchase List.exe, 00000000.00000003.637415865.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
                    Source: Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000003.637686010.000000000567C000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000003.637894062.000000000567A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: Purchase List.exe, 00000000.00000003.637686010.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2
                    Source: Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Purchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: https://OflDl889FuVaHuAjQFuC.com
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                    Source: Purchase List.exe, 00000000.00000002.651016305.00000000038E0000.00000004.00000001.sdmp, Purchase List.exe, 00000004.00000002.900350877.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: Purchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: Purchase List.exe, 00000000.00000002.649375718.0000000000970000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: 4.2.Purchase List.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b0A69782Cu002dCC38u002d4531u002d980Du002d15391B4A1CA5u007d/u00305C1E7E3u002d84D2u002d49AEu002d9CDBu002d7125A6AE99F0.csLarge array initialization: .cctor: array initializer size 11963
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: Purchase List.exe
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_00B9BAFC0_2_00B9BAFC
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_00B99D880_2_00B99D88
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_00B9E7F20_2_00B9E7F2
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_00B9CB300_2_00B9CB30
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_00B999640_2_00B99964
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_087468100_2_08746810
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_08740FE00_2_08740FE0
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_087407100_2_08740710
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_087427D80_2_087427D8
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_087468000_2_08746800
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_08748C600_2_08748C60
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_087403C80_2_087403C8
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_08765A080_2_08765A08
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_087600400_2_08760040
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 0_2_087600110_2_08760011
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_010AC9684_2_010AC968
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_010A00404_2_010A0040
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_010A66B14_2_010A66B1
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_010AC5704_2_010AC570
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_010AD8B04_2_010AD8B0
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_02E647A04_2_02E647A0
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_02E647904_2_02E64790
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_02E647304_2_02E64730
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_060E6C684_2_060E6C68
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_060E94F84_2_060E94F8
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_060E75384_2_060E7538
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_060E69204_2_060E6920
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_06CEA5004_2_06CEA500
                    Source: Purchase List.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: fjbxiXhL.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Purchase List.exeBinary or memory string: OriginalFilename vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.656177523.0000000008650000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.649375718.0000000000970000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.656100241.0000000008490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.655771530.0000000006FF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.655771530.0000000006FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.651016305.00000000038E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemVwpcvWDCJFhCKROeeZLxPCBImYvnKQqhjmag.exe4 vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.648834431.00000000002D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIApplicationContext.exe. vs Purchase List.exe
                    Source: Purchase List.exe, 00000000.00000002.655628666.0000000006EF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Purchase List.exe
                    Source: Purchase List.exeBinary or memory string: OriginalFilename vs Purchase List.exe
                    Source: Purchase List.exe, 00000004.00000002.900560463.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase List.exe
                    Source: Purchase List.exe, 00000004.00000002.900350877.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemVwpcvWDCJFhCKROeeZLxPCBImYvnKQqhjmag.exe4 vs Purchase List.exe
                    Source: Purchase List.exe, 00000004.00000002.900438684.0000000000AF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIApplicationContext.exe. vs Purchase List.exe
                    Source: Purchase List.exeBinary or memory string: OriginalFilenameIApplicationContext.exe. vs Purchase List.exe
                    Source: Purchase List.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Purchase List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: fjbxiXhL.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 4.2.Purchase List.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.Purchase List.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@4/1
                    Source: C:\Users\user\Desktop\Purchase List.exeFile created: C:\Users\user\AppData\Roaming\fjbxiXhL.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeMutant created: \Sessions\1\BaseNamedObjects\yIdaIXoiNVHVUXJTQ
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_01
                    Source: C:\Users\user\Desktop\Purchase List.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7DFD.tmpJump to behavior
                    Source: Purchase List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Purchase List.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase List.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                    Source: Purchase List.exeVirustotal: Detection: 39%
                    Source: Purchase List.exeReversingLabs: Detection: 34%
                    Source: C:\Users\user\Desktop\Purchase List.exeFile read: C:\Users\user\Desktop\Purchase List.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Purchase List.exe 'C:\Users\user\Desktop\Purchase List.exe'
                    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp'
                    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\Desktop\Purchase List.exe C:\Users\user\Desktop\Purchase List.exe
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess created: C:\Users\user\Desktop\Purchase List.exe C:\Users\user\Desktop\Purchase List.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Purchase List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Purchase List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_060EA61F push es; iretd 4_2_060EA63C
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_060E8540 push es; ret 4_2_060E8550
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.52724111071
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.52724111071
                    Source: C:\Users\user\Desktop\Purchase List.exeFile created: C:\Users\user\AppData\Roaming\fjbxiXhL.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp'
                    Source: C:\Users\user\Desktop\Purchase List.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM_3Show sources
                    Source: Yara matchFile source: 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase List.exe PID: 7028, type: MEMORY
                    Source: Yara matchFile source: 0.2.Purchase List.exe.26a1d80.1.raw.unpack, type: UNPACKEDPE
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: Purchase List.exe, 00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Source: C:\Users\user\Desktop\Purchase List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeWindow / User API: threadDelayed 850Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeWindow / User API: threadDelayed 8997Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exe TID: 7032Thread sleep time: -103590s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exe TID: 7060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exe TID: 6648Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exe TID: 1320Thread sleep count: 850 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exe TID: 1320Thread sleep count: 8997 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: Purchase List.exe, 00000000.00000003.644472258.00000000087AB000.00000004.00000001.sdmpBinary or memory string: VMware
                    Source: Purchase List.exe, 00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmpBinary or memory string: %l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Purchase List.exe, 00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmpBinary or memory string: %l"SOFTWARE\VMware, Inc.\VMware T<
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: Purchase List.exe, 00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmpBinary or memory string: %l"SOFTWARE\VMware, Inc.\VMware T
                    Source: Purchase List.exe, 00000000.00000003.644472258.00000000087AB000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareT3FKCW45Win32_VideoControllerGTCCSNDHVideoController120060621000000.000000-00009938.91display.infMSBDA942VRVNTPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsLVMK6P4R
                    Source: Purchase List.exe, 00000000.00000003.644472258.00000000087AB000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareT3FKCW45Win32_VideoControllerGTCCSNDHVideoController120060621000000.000000-00009938.91display.infMSBDA942VRVNTPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsLVMK6P4RLMEMp
                    Source: Purchase List.exe, 00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: Purchase List.exe, 00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmpBinary or memory string: %l"SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: Purchase List.exe, 00000004.00000003.865754589.000000000132F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Purchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_010A1790 LdrInitializeThunk,4_2_010A1790
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\Purchase List.exeMemory written: C:\Users\user\Desktop\Purchase List.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeProcess created: C:\Users\user\Desktop\Purchase List.exe C:\Users\user\Desktop\Purchase List.exeJump to behavior
                    Source: Purchase List.exe, 00000004.00000002.901375032.0000000001800000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: Purchase List.exe, 00000004.00000002.901375032.0000000001800000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: Purchase List.exe, 00000004.00000002.901375032.0000000001800000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: Purchase List.exe, 00000004.00000002.901375032.0000000001800000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Users\user\Desktop\Purchase List.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Users\user\Desktop\Purchase List.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeCode function: 4_2_060E516C GetUserNameW,4_2_060E516C
                    Source: C:\Users\user\Desktop\Purchase List.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.651016305.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.900350877.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase List.exe PID: 7028, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase List.exe PID: 5744, type: MEMORY
                    Source: Yara matchFile source: 4.2.Purchase List.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase List.exe.3930820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase List.exe.3930820.4.raw.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\Purchase List.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\Desktop\Purchase List.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase List.exe PID: 5744, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.651016305.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.900350877.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase List.exe PID: 7028, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase List.exe PID: 5744, type: MEMORY
                    Source: Yara matchFile source: 4.2.Purchase List.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase List.exe.3930820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase List.exe.3930820.4.raw.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation311Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture1File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Credentials in Registry1System Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSQuery Registry1Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery421SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion24Cached Domain CredentialsVirtualization/Sandbox Evasion24VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Purchase List.exe39%VirustotalBrowse
                    Purchase List.exe14%MetadefenderBrowse
                    Purchase List.exe34%ReversingLabsByteCode-MSIL.Trojan.Stelega
                    Purchase List.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\fjbxiXhL.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\fjbxiXhL.exe14%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\fjbxiXhL.exe34%ReversingLabsByteCode-MSIL.Trojan.Stelega

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.2.Purchase List.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://estagold.com.my0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/20%Avira URL Cloudsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y0d0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/-czL0%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.founder.com.cn/cnLog0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
                    http://mail.estagold.com.my0%Avira URL Cloudsafe
                    http://www.fontbureau.comion0%URL Reputationsafe
                    http://www.fontbureau.comion0%URL Reputationsafe
                    http://www.fontbureau.comion0%URL Reputationsafe
                    http://www.gagalive.kr/livechat1.swf?chatroom=inchat-0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.founder.com.cn/cnsha0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.fontbureau.como0%URL Reputationsafe
                    http://www.fontbureau.como0%URL Reputationsafe
                    http://www.fontbureau.como0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/j0%Avira URL Cloudsafe
                    http://vHuoap.com0%Avira URL Cloudsafe
                    https://OflDl889FuVaHuAjQFuC.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    estagold.com.my
                    		103.6.196.156
                    		truetrue
                      		unknown
                      mail.estagold.com.my
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1Purchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThePurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                              		high
                              http://estagold.com.myPurchase List.exe, 00000004.00000002.902125065.0000000003200000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/2Purchase List.exe, 00000000.00000003.637686010.000000000567C000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssPurchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sajatypeworks.comPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThePurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/:Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/Y0dPurchase List.exe, 00000000.00000003.637894062.000000000567A000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/2Purchase List.exe, 00000000.00000003.637415865.000000000567C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleasePurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/Y0Purchase List.exe, 00000000.00000003.637508439.000000000567C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/(Purchase List.exe, 00000000.00000003.637415865.000000000567C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasePurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/-czLPurchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase List.exe, 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase List.exe, 00000000.00000002.651016305.00000000038E0000.00000004.00000001.sdmp, Purchase List.exe, 00000004.00000002.900350877.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schooldb.inchat.kro.kr/Purchase List.exefalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                            		high
                                            http://DynDns.comDynDNSPurchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnLogPurchase List.exe, 00000000.00000003.636133849.0000000005681000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://inchat.kro.krPurchase List.exefalse
                                              		high
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/HPurchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://mail.estagold.com.myPurchase List.exe, 00000004.00000002.902125065.0000000003200000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comionPurchase List.exe, 00000000.00000003.648626317.000000000567A000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.gagalive.kr/livechat1.swf?chatroom=inchat-Purchase List.exefalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000003.637686010.000000000567C000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000003.637894062.000000000567A000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnshaPurchase List.exe, 00000000.00000003.636133849.0000000005681000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comlPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlPurchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/rPurchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/Purchase List.exe, 00000000.00000003.637415865.000000000567C000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000003.637595571.000000000567C000.00000004.00000001.sdmp, Purchase List.exe, 00000000.00000003.637686010.000000000567C000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comoPurchase List.exe, 00000000.00000003.648626317.000000000567A000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8Purchase List.exe, 00000000.00000002.655339355.0000000006882000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/jPurchase List.exe, 00000000.00000003.637415865.000000000567C000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://vHuoap.comPurchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://OflDl889FuVaHuAjQFuC.comPurchase List.exe, 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    103.6.196.156
                                                    		unknownMalaysia
                                                    		46015EXABYTES-AS-APExaBytesNetworkSdnBhdMYtrue

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Emerald
                                                    Analysis ID:358181
                                                    Start date:25.02.2021
                                                    Start time:07:32:26
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 8m 2s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:Purchase List.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:18
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@6/5@4/1
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 0.3% (good quality ratio 0.2%)
                                                    • Quality average: 39%
                                                    • Quality standard deviation: 32.8%
                                                    HCA Information:
                                                    • Successful, ratio: 99%
                                                    • Number of executed functions: 107
                                                    • Number of non-executed functions: 6
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.113.196.254, 168.61.161.212, 13.88.21.125, 104.43.193.48, 51.104.146.109, 52.155.217.156, 20.54.26.129, 93.184.221.240, 51.104.144.132, 92.122.213.247, 92.122.213.194, 51.11.168.160
                                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, teams-9999.teams-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    07:33:10API Interceptor735x Sleep call for process: Purchase List.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    103.6.196.156https://www.webveiviseren.no/statistikk/usage/Get hashmaliciousBrowse
                                                    • aunlianplastic.com/site_light/usage/owa/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    EXABYTES-AS-APExaBytesNetworkSdnBhdMYRFQ- 978002410.exeGet hashmaliciousBrowse
                                                    • 103.6.196.138
                                                    CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                    • 103.6.198.29
                                                    CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                    • 103.6.198.29
                                                    bank TT slip.exeGet hashmaliciousBrowse
                                                    • 103.6.198.37
                                                    Request Quotation.exeGet hashmaliciousBrowse
                                                    • 103.6.198.37
                                                    bank details.exeGet hashmaliciousBrowse
                                                    • 103.6.198.37
                                                    Statement Of Account.exeGet hashmaliciousBrowse
                                                    • 103.6.196.175
                                                    3-321-68661.xlsGet hashmaliciousBrowse
                                                    • 103.6.196.88
                                                    Detailed 079.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    Invoice_#_76493.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    Notification #591501.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    Notification #591501.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    Notification #591501.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    Report 290.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    Report 290.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    Report 290.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    Fax 740.xlsGet hashmaliciousBrowse
                                                    • 110.4.45.32
                                                    iZT2CEFqiVFCf9W.exeGet hashmaliciousBrowse
                                                    • 103.6.198.43
                                                    FFWMQQSH.EXEGet hashmaliciousBrowse
                                                    • 103.6.198.43
                                                    P9y3OrGfVybC2as.exeGet hashmaliciousBrowse
                                                    • 103.6.198.43

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase List.exe.log
                                                    Process:C:\Users\user\Desktop\Purchase List.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):1406
                                                    Entropy (8bit):5.341099307467139
                                                    Encrypted:false
                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                                    MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                                    SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                                    SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                                    SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                    C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp
                                                    Process:C:\Users\user\Desktop\Purchase List.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1641
                                                    Entropy (8bit):5.180117776656713
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGZtn:cbhK79lNQR/rydbz9I3YODOLNdq3Q
                                                    MD5:D85489FF231A997DFA13E549D45EC19F
                                                    SHA1:370FC3C921601591CD67907B39E4ABB09E8CFEB5
                                                    SHA-256:9C65D7295876A02F4609B0C445BE646044519E6CA3485BDCD841AF2F1ADBFDF9
                                                    SHA-512:EBAD99D0283224CDBBFDB2AD79121A563BD14094819BFC52D0DE5BDD63192DCF0F373D43B927FB7CE7DAAA1B3C0963ACFFC8186B9710FBC3DE2EAE1AC583C53B
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Roaming\fjbxiXhL.exe
                                                    Process:C:\Users\user\Desktop\Purchase List.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):700928
                                                    Entropy (8bit):7.121357654386335
                                                    Encrypted:false
                                                    SSDEEP:12288:yWdUDk2ovjaB8ElhsrlSDouoS1o7xY0n5m0VrfGFpeZlvX5v:ytMjaRh4eT1gW0n5HSFgZF5
                                                    MD5:E4CF61F665F6162275D903AE9704AB4B
                                                    SHA1:FAE35B4255E8D21822800C06B6BEBC467730E422
                                                    SHA-256:902E08A184D5A096905397464B5ADD020E541AF01A856E33935763CEB42F1205
                                                    SHA-512:150179452260CD2C946D312755B20584295645763D4E03152143FD74D55201F8ECB5C1082129B560BCD2A95ADA411309A7BCF3DB5FD761FC3CF19B3DAE1AC3B2
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Metadefender, Detection: 14%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 34%
                                                    Reputation:low
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.6`..............P..............8... ........@.. ....................................@..................................7..W....@............................................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc..............................@..B.................8......H.......T...p]...............<...........................................0..#.......+.&...(....(..........(.....o.....*..................0..........+.&..8......8.....+/..`a.+...Ua...bXE................X....^( ....+..<....+......&...+...ZYE............&...5...=...L...f...n............\( ....+.8~.....>.8u........&.;.8g.....(.....:.8X......8P.....(.....=.8A.....(....+.(....8+.....8'......8......(....+..8......8......?.8....*....0..........+.&...+...]a.+...Za8......dY+Z.?.+..c( .
                                                    C:\Users\user\AppData\Roaming\fjbxiXhL.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\Purchase List.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                    C:\Users\user\AppData\Roaming\lgi0u0hy.n3j\Chrome\Default\Cookies
                                                    Process:C:\Users\user\Desktop\Purchase List.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):0.7006690334145785
                                                    Encrypted:false
                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                    MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                    SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                    SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                    SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.121357654386335
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:Purchase List.exe
                                                    File size:700928
                                                    MD5:e4cf61f665f6162275d903ae9704ab4b
                                                    SHA1:fae35b4255e8d21822800c06b6bebc467730e422
                                                    SHA256:902e08a184d5a096905397464b5add020e541af01a856e33935763ceb42f1205
                                                    SHA512:150179452260cd2c946d312755b20584295645763d4e03152143fd74d55201f8ecb5c1082129b560bcd2a95ada411309a7bcf3db5fd761fc3cf19b3dae1ac3b2
                                                    SSDEEP:12288:yWdUDk2ovjaB8ElhsrlSDouoS1o7xY0n5m0VrfGFpeZlvX5v:ytMjaRh4eT1gW0n5HSFgZF5
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.6`..............P..............8... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:d086aab2b2aad403

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x48381e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x6036D721 [Wed Feb 24 22:45:53 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x837c40x57.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x29400.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x818240x81a00False0.785465133799data7.52724111071IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x840000x294000x29400False0.0758877840909data3.80087437706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xae0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0x842b00x1280PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                    RT_ICON0x855300x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4283735867, next used block 4283735867
                                                    RT_ICON0x95d580x94a8data
                                                    RT_ICON0x9f2000x5488data
                                                    RT_ICON0xa46880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
                                                    RT_ICON0xa88b00x25a8data
                                                    RT_ICON0xaae580x10a8data
                                                    RT_ICON0xabf000x988data
                                                    RT_ICON0xac8880x468GLS_BINARY_LSB_FIRST
                                                    RT_GROUP_ICON0xaccf00x84data
                                                    RT_VERSION0xacd740x34cdata
                                                    RT_MANIFEST0xad0c00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2016 - 2021
                                                    Assembly Version1.0.0.0
                                                    InternalNameIApplicationContext.exe
                                                    FileVersion1.0.0.0
                                                    CompanyName
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameASM PS
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionASM PS
                                                    OriginalFilenameIApplicationContext.exe

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    02/25/21-07:34:55.861941TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49768587192.168.2.4103.6.196.156
                                                    02/25/21-07:35:00.293251TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49769587192.168.2.4103.6.196.156

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Feb 25, 2021 07:34:53.270379066 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:53.509300947 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:53.509505987 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:54.442143917 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:54.442610979 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:54.675404072 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:54.676700115 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:54.909465075 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:54.910228014 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:55.147022009 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:55.147885084 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:55.378170013 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:55.378607035 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:55.618199110 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:55.619250059 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:55.860112906 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:55.860157013 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:55.861941099 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:55.862325907 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:55.863228083 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:55.863432884 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:56.101246119 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:56.101950884 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:56.236763954 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:56.290270090 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:57.355307102 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:57.586600065 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:57.586751938 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:57.586864948 CET49768587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:57.817691088 CET58749768103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:58.096968889 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:58.324407101 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:58.324543953 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:58.908725023 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:58.909014940 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:59.138565063 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:59.139098883 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:59.368190050 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:59.368830919 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:59.602601051 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:59.603373051 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:34:59.833318949 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:34:59.833936930 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.062716961 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:00.063035965 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.291469097 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:00.291493893 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:00.292912006 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.293251038 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.293416023 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.293572903 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.293778896 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.293947935 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.294087887 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.294219017 CET49769587192.168.2.4103.6.196.156
                                                    Feb 25, 2021 07:35:00.520440102 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:00.520734072 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:00.520939112 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:00.521146059 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:00.561906099 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:01.045952082 CET58749769103.6.196.156192.168.2.4
                                                    Feb 25, 2021 07:35:01.087694883 CET49769587192.168.2.4103.6.196.156

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Feb 25, 2021 07:33:00.689344883 CET6529853192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:00.736706018 CET5912353192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:00.738250017 CET53652988.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:00.792695045 CET53591238.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:02.707417011 CET5453153192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:02.770929098 CET53545318.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:03.741703987 CET4971453192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:03.792068958 CET53497148.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:05.121037006 CET5802853192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:05.169974089 CET53580288.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:06.079257965 CET5309753192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:06.128072977 CET53530978.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:07.459100008 CET4925753192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:07.508631945 CET53492578.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:08.543785095 CET6238953192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:08.598051071 CET53623898.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:09.361520052 CET4991053192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:09.413064003 CET53499108.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:10.433206081 CET5585453192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:10.485002995 CET53558548.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:11.482628107 CET6454953192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:11.539701939 CET53645498.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:12.483820915 CET6315353192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:12.536933899 CET53631538.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:25.337025881 CET5299153192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:25.393990993 CET53529918.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:26.439006090 CET5370053192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:26.493026018 CET53537008.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:29.506742954 CET5172653192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:29.555391073 CET53517268.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:30.219933987 CET5679453192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:30.268692970 CET53567948.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:30.463871002 CET5653453192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:30.513708115 CET53565348.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:31.428766012 CET5662753192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:31.479326963 CET53566278.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:32.373282909 CET5662153192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:32.422337055 CET53566218.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:33.305717945 CET6311653192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:33.359700918 CET53631168.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:34.300080061 CET6407853192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:34.348803997 CET53640788.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:45.841912031 CET6480153192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:45.931430101 CET53648018.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:46.433402061 CET6172153192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:46.529630899 CET53617218.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:47.038410902 CET5125553192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:47.085745096 CET6152253192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:47.107646942 CET53512558.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:47.144793034 CET53615228.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:47.556230068 CET5233753192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:47.614830971 CET53523378.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:48.071505070 CET5504653192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:48.135961056 CET53550468.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:48.678927898 CET4961253192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:48.768064022 CET53496128.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:49.343734980 CET4928553192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:49.401118994 CET53492858.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:50.090364933 CET5060153192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:50.150521040 CET53506018.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:51.075722933 CET6087553192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:51.138797998 CET53608758.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:51.798700094 CET5644853192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:51.856237888 CET53564488.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:33:56.232007980 CET5917253192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:33:56.281518936 CET53591728.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:05.159924984 CET6242053192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:05.211714983 CET53624208.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:05.326767921 CET6057953192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:05.398343086 CET53605798.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:08.826066017 CET5018353192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:08.896673918 CET53501838.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:41.386676073 CET6153153192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:41.441751957 CET53615318.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:42.849390984 CET4922853192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:42.908948898 CET53492288.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:52.607438087 CET5979453192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:52.961777925 CET53597948.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:52.985022068 CET5591653192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:53.166901112 CET53559168.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:57.620316029 CET5275253192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:57.680288076 CET53527528.8.8.8192.168.2.4
                                                    Feb 25, 2021 07:34:57.733555079 CET6054253192.168.2.48.8.8.8
                                                    Feb 25, 2021 07:34:58.093548059 CET53605428.8.8.8192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Feb 25, 2021 07:34:52.607438087 CET192.168.2.48.8.8.80x5cecStandard query (0)mail.estagold.com.myA (IP address)IN (0x0001)
                                                    Feb 25, 2021 07:34:52.985022068 CET192.168.2.48.8.8.80x4d92Standard query (0)mail.estagold.com.myA (IP address)IN (0x0001)
                                                    Feb 25, 2021 07:34:57.620316029 CET192.168.2.48.8.8.80x4ec3Standard query (0)mail.estagold.com.myA (IP address)IN (0x0001)
                                                    Feb 25, 2021 07:34:57.733555079 CET192.168.2.48.8.8.80xf581Standard query (0)mail.estagold.com.myA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Feb 25, 2021 07:34:52.961777925 CET8.8.8.8192.168.2.40x5cecNo error (0)mail.estagold.com.myestagold.com.myCNAME (Canonical name)IN (0x0001)
                                                    Feb 25, 2021 07:34:52.961777925 CET8.8.8.8192.168.2.40x5cecNo error (0)estagold.com.my103.6.196.156A (IP address)IN (0x0001)
                                                    Feb 25, 2021 07:34:53.166901112 CET8.8.8.8192.168.2.40x4d92No error (0)mail.estagold.com.myestagold.com.myCNAME (Canonical name)IN (0x0001)
                                                    Feb 25, 2021 07:34:53.166901112 CET8.8.8.8192.168.2.40x4d92No error (0)estagold.com.my103.6.196.156A (IP address)IN (0x0001)
                                                    Feb 25, 2021 07:34:57.680288076 CET8.8.8.8192.168.2.40x4ec3No error (0)mail.estagold.com.myestagold.com.myCNAME (Canonical name)IN (0x0001)
                                                    Feb 25, 2021 07:34:57.680288076 CET8.8.8.8192.168.2.40x4ec3No error (0)estagold.com.my103.6.196.156A (IP address)IN (0x0001)
                                                    Feb 25, 2021 07:34:58.093548059 CET8.8.8.8192.168.2.40xf581No error (0)mail.estagold.com.myestagold.com.myCNAME (Canonical name)IN (0x0001)
                                                    Feb 25, 2021 07:34:58.093548059 CET8.8.8.8192.168.2.40xf581No error (0)estagold.com.my103.6.196.156A (IP address)IN (0x0001)

                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Feb 25, 2021 07:34:54.442143917 CET58749768103.6.196.156192.168.2.4220-datousaurus.mschosting.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 14:34:38 +0800
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Feb 25, 2021 07:34:54.442610979 CET49768587192.168.2.4103.6.196.156EHLO 971342
                                                    Feb 25, 2021 07:34:54.675404072 CET58749768103.6.196.156192.168.2.4250-datousaurus.mschosting.com Hello 971342 [84.17.52.78]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Feb 25, 2021 07:34:54.676700115 CET49768587192.168.2.4103.6.196.156AUTH login YWRtaW5AZXN0YWdvbGQuY29tLm15
                                                    Feb 25, 2021 07:34:54.909465075 CET58749768103.6.196.156192.168.2.4334 UGFzc3dvcmQ6
                                                    Feb 25, 2021 07:34:55.147022009 CET58749768103.6.196.156192.168.2.4235 Authentication succeeded
                                                    Feb 25, 2021 07:34:55.147885084 CET49768587192.168.2.4103.6.196.156MAIL FROM:<admin@estagold.com.my>
                                                    Feb 25, 2021 07:34:55.378170013 CET58749768103.6.196.156192.168.2.4250 OK
                                                    Feb 25, 2021 07:34:55.378607035 CET49768587192.168.2.4103.6.196.156RCPT TO:<bmathena@accesesdata.com>
                                                    Feb 25, 2021 07:34:55.618199110 CET58749768103.6.196.156192.168.2.4250 Accepted
                                                    Feb 25, 2021 07:34:55.619250059 CET49768587192.168.2.4103.6.196.156DATA
                                                    Feb 25, 2021 07:34:55.860157013 CET58749768103.6.196.156192.168.2.4354 Enter message, ending with "." on a line by itself
                                                    Feb 25, 2021 07:34:55.863432884 CET49768587192.168.2.4103.6.196.156.
                                                    Feb 25, 2021 07:34:56.236763954 CET58749768103.6.196.156192.168.2.4250 OK id=1lFAES-00BrOb-5B
                                                    Feb 25, 2021 07:34:57.355307102 CET49768587192.168.2.4103.6.196.156QUIT
                                                    Feb 25, 2021 07:34:57.586600065 CET58749768103.6.196.156192.168.2.4221 datousaurus.mschosting.com closing connection
                                                    Feb 25, 2021 07:34:58.908725023 CET58749769103.6.196.156192.168.2.4220-datousaurus.mschosting.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 14:34:43 +0800
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Feb 25, 2021 07:34:58.909014940 CET49769587192.168.2.4103.6.196.156EHLO 971342
                                                    Feb 25, 2021 07:34:59.138565063 CET58749769103.6.196.156192.168.2.4250-datousaurus.mschosting.com Hello 971342 [84.17.52.78]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Feb 25, 2021 07:34:59.139098883 CET49769587192.168.2.4103.6.196.156AUTH login YWRtaW5AZXN0YWdvbGQuY29tLm15
                                                    Feb 25, 2021 07:34:59.368190050 CET58749769103.6.196.156192.168.2.4334 UGFzc3dvcmQ6
                                                    Feb 25, 2021 07:34:59.602601051 CET58749769103.6.196.156192.168.2.4235 Authentication succeeded
                                                    Feb 25, 2021 07:34:59.603373051 CET49769587192.168.2.4103.6.196.156MAIL FROM:<admin@estagold.com.my>
                                                    Feb 25, 2021 07:34:59.833318949 CET58749769103.6.196.156192.168.2.4250 OK
                                                    Feb 25, 2021 07:34:59.833936930 CET49769587192.168.2.4103.6.196.156RCPT TO:<bmathena@accesesdata.com>
                                                    Feb 25, 2021 07:35:00.062716961 CET58749769103.6.196.156192.168.2.4250 Accepted
                                                    Feb 25, 2021 07:35:00.063035965 CET49769587192.168.2.4103.6.196.156DATA
                                                    Feb 25, 2021 07:35:00.291493893 CET58749769103.6.196.156192.168.2.4354 Enter message, ending with "." on a line by itself
                                                    Feb 25, 2021 07:35:00.294219017 CET49769587192.168.2.4103.6.196.156.
                                                    Feb 25, 2021 07:35:01.045952082 CET58749769103.6.196.156192.168.2.4250 OK id=1lFAEW-00BrPY-Jc

                                                    Code Manipulations

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: Purchase List.exe PID: 7028 Parent PID: 6068

                                                    General

                                                    Start time:07:33:06
                                                    Start date:25/02/2021
                                                    Path:C:\Users\user\Desktop\Purchase List.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\Purchase List.exe'
                                                    Imagebase:0x2d0000
                                                    File size:700928 bytes
                                                    MD5 hash:E4CF61F665F6162275D903AE9704AB4B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.649771103.0000000002671000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.651016305.00000000038E0000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.649882945.00000000026F4000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 3476 Parent PID: 7028

                                                    General

                                                    Start time:07:33:12
                                                    Start date:25/02/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fjbxiXhL' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DFD.tmp'
                                                    Imagebase:0x940000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 3280 Parent PID: 3476

                                                    General

                                                    Start time:07:33:13
                                                    Start date:25/02/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: Purchase List.exe PID: 5744 Parent PID: 7028

                                                    General

                                                    Start time:07:33:13
                                                    Start date:25/02/2021
                                                    Path:C:\Users\user\Desktop\Purchase List.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\Purchase List.exe
                                                    Imagebase:0xaf0000
                                                    File size:700928 bytes
                                                    MD5 hash:E4CF61F665F6162275D903AE9704AB4B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.901634669.0000000002E81000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.900350877.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: Purchase List.exe PID: 7028 Parent PID: 6068 Purchase List.exeCOMMON

                                                      Executed Functions

                                                      Function 087427D8, Relevance: 4.1, Strings: 3, Instructions: 338COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: <*l$*?q$*?q
                                                      • API String ID: 0-4078696573
                                                      • Opcode ID: 738f89107725c4a0733bed89ca435f6eaf7ab8fa85a29a72b48679c0915b61ac
                                                      • Instruction ID: 6c6881b5e6a736b34a174b370b4c8e8d5e56a2163e6c802aeb092437f86dcf74
                                                      • Opcode Fuzzy Hash: 738f89107725c4a0733bed89ca435f6eaf7ab8fa85a29a72b48679c0915b61ac
                                                      • Instruction Fuzzy Hash: E4D16D70E10209CFCB14DFA8C484AAEFBF2FF88315F158559E915AB355DB34A946CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08740710, Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: *?q$*?q
                                                      • API String ID: 0-1515704513
                                                      • Opcode ID: 0a83f914f3815f362ea1b3ec9ec98d321c67bdf2b47b13f99aac5c54c929b9fd
                                                      • Instruction ID: 1e18bfaa30d7540f7e7a28ebaea77e9e1b54cd41d646a455fdd7bec100e0c21b
                                                      • Opcode Fuzzy Hash: 0a83f914f3815f362ea1b3ec9ec98d321c67bdf2b47b13f99aac5c54c929b9fd
                                                      • Instruction Fuzzy Hash: DBB16C70E00609CFDF50CFA9D8857EEBBF2AF88305F149129D915A7258EB749846CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08740FE0, Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: *?q$*?q
                                                      • API String ID: 0-1515704513
                                                      • Opcode ID: 7faf38ad79d89a1d6c2a0305739f2d8b7e7f3495019f57337739db37dd31c5fe
                                                      • Instruction ID: 823678e21b6b52b139a99830538b0e4f96fbe86d8ab05e3fe3951a39c52d8897
                                                      • Opcode Fuzzy Hash: 7faf38ad79d89a1d6c2a0305739f2d8b7e7f3495019f57337739db37dd31c5fe
                                                      • Instruction Fuzzy Hash: D3B17F70E00209CFDB10DFA9C8917EDBBF2BF88715F549129D415E7298EB749886CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B99D88, Relevance: .7, Instructions: 652COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc14b31e766b5bf3e9d1ed7bd54c3630638a7dbf186c9e64f2cfa7e37f439953
                                                      • Instruction ID: f1a2eebf9a437d0fb627fda27c77e338c8e15b58c47111f53b10278045113a98
                                                      • Opcode Fuzzy Hash: fc14b31e766b5bf3e9d1ed7bd54c3630638a7dbf186c9e64f2cfa7e37f439953
                                                      • Instruction Fuzzy Hash: B0526831A006198FCF15CF68C880BAAB7F2FF45304F5584A9E919AB262D771FD85CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9BAFC, Relevance: .2, Instructions: 233COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 1d3a55df20028bd399c27f3e891de708582dfe3508c7347624af5f964ffe70d8
                                                      • Instruction ID: 2fe173657a9ff721f624fd7c31bfcc366596d927fb747ad9420d564c016cdca7
                                                      • Opcode Fuzzy Hash: 1d3a55df20028bd399c27f3e891de708582dfe3508c7347624af5f964ffe70d8
                                                      • Instruction Fuzzy Hash: 3D917F35E00319DFCB04DBE0D8949DDB7B6FF89314F258665E416AB264EB30A945CB60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08765A08, Relevance: .2, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6379bdb82e565760969bfb85e405425849a696a4bdd30ffcd48dfc8683de17d
                                                      • Instruction ID: 3fdbba4780a750b8d8db5d43dbc3b2ed30422cfd30b389618920eb84827955fb
                                                      • Opcode Fuzzy Hash: f6379bdb82e565760969bfb85e405425849a696a4bdd30ffcd48dfc8683de17d
                                                      • Instruction Fuzzy Hash: 47812774E05249CFDB04CFA9C58469EBBF2EF89315F24C12AD809AB309E7349D529F60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9E7F2, Relevance: .2, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 3a2af8c38a67f8c5ed9eebd7d2d7b0e5d180ca3c6a75f3e119735a7f3675a301
                                                      • Instruction ID: 30a38749599a25771f2d73d397fadefb11718e6f691b3b148e4d8bc6bf309f2f
                                                      • Opcode Fuzzy Hash: 3a2af8c38a67f8c5ed9eebd7d2d7b0e5d180ca3c6a75f3e119735a7f3675a301
                                                      • Instruction Fuzzy Hash: F3816D35E00319DFCB04DFE1D8549DDB7BAFF89310B148665E416AB2A4EB30A945CB60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08746810, Relevance: .2, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ea9af08e0963c3a2ed7850a363fe210cb8b6d663fa2fbbe97fd4c6d1fea94c7
                                                      • Instruction ID: a66f3052e24151cbd2fe4e6fa70d49b5efadb344621beae9b6aeefa058301891
                                                      • Opcode Fuzzy Hash: 6ea9af08e0963c3a2ed7850a363fe210cb8b6d663fa2fbbe97fd4c6d1fea94c7
                                                      • Instruction Fuzzy Hash: D36116B4D05208CBEB54CFA5D5447EDBBF5FB6A306F10A02AC009B7249D7749986CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08746800, Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4732de0cfe898d300da5767d0bbd34b2d4f4b33691f617414c4fedbcf182720
                                                      • Instruction ID: 5021b77b1610e170e870706a17b768e88d4ac06681c4ee7f000a0d14b3cf715a
                                                      • Opcode Fuzzy Hash: a4732de0cfe898d300da5767d0bbd34b2d4f4b33691f617414c4fedbcf182720
                                                      • Instruction Fuzzy Hash: 735124B4D05208CBEB58CFA5D5447EDBBF2FB6A306F10A02AD005B7249E7789946CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9B958, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B9C709,00000800,00000000,00000000), ref: 00B9C91A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: *?q$*?q$*?q
                                                      • API String ID: 1029625771-196188347
                                                      • Opcode ID: c05a887124f4ab920c258c0e834ef776692bdaf5aab6b2eafa9b94ac2c42b69b
                                                      • Instruction ID: 301cc66c0f772463f9216195a24929cb6281075c52facf7c9f332b40dd1a4fdf
                                                      • Opcode Fuzzy Hash: c05a887124f4ab920c258c0e834ef776692bdaf5aab6b2eafa9b94ac2c42b69b
                                                      • Instruction Fuzzy Hash: E95123B1D002589FDB14CFAAD884BAEBFF5EB48314F14816AE815AB340D774A845CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0876787C, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08767ABE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID: *?q$*?q
                                                      • API String ID: 963392458-1515704513
                                                      • Opcode ID: 7ea2d834f945d619ee7992150dbfca64e0ae76fe8c0c5e0eedf1c3c4d574b5cd
                                                      • Instruction ID: 108d859c37c0aca31897cbefec3acb9a889ad66e12464556bb4e344e745ab4da
                                                      • Opcode Fuzzy Hash: 7ea2d834f945d619ee7992150dbfca64e0ae76fe8c0c5e0eedf1c3c4d574b5cd
                                                      • Instruction Fuzzy Hash: B1A1AE71D00219CFDB14CF68C8817EEBBB2FF44369F148669D819A7244D7349996CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08767888, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08767ABE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID: *?q$*?q
                                                      • API String ID: 963392458-1515704513
                                                      • Opcode ID: 82f992ad4db8b8f55a4e2b638156dba8b0b31a14060171930ddd2ef35e3fddcc
                                                      • Instruction ID: 91eb5cbc04b4dfc5eeb11dcc7b78c9808a341f542e9ef7662f38c9c7c2732dac
                                                      • Opcode Fuzzy Hash: 82f992ad4db8b8f55a4e2b638156dba8b0b31a14060171930ddd2ef35e3fddcc
                                                      • Instruction Fuzzy Hash: CA919E71D00219CFEB14CFA8C8407EEBBF2BF48369F148669D819A7244D7749995CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9E4EE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B9E60A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID: *?q${1kl^
                                                      • API String ID: 716092398-2601543978
                                                      • Opcode ID: 6b5f7615341ec3891ccb78f7e94a9ce44444ab6986f4415b4d0e687126051c11
                                                      • Instruction ID: e3182c9bb9ebf038e4f9530604d3e6cd943ee97e16135abbde4afbe6f0095eab
                                                      • Opcode Fuzzy Hash: 6b5f7615341ec3891ccb78f7e94a9ce44444ab6986f4415b4d0e687126051c11
                                                      • Instruction Fuzzy Hash: C851B0B1D10209DFDF14CFAAC884ADEBBB5FF48314F25816AE419AB210D775A945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9BAAC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B9E60A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID: *?q${1kl^
                                                      • API String ID: 716092398-2601543978
                                                      • Opcode ID: 0fd13d836cb5ce821f2350461881a57bd0dc37db723a814bb886533a1ae89a1e
                                                      • Instruction ID: b1427686d6733a250737b0dec9e1ff3ce1cde44e45d6cc726f574860d2853ed4
                                                      • Opcode Fuzzy Hash: 0fd13d836cb5ce821f2350461881a57bd0dc37db723a814bb886533a1ae89a1e
                                                      • Instruction Fuzzy Hash: C551AEB1D102099FDF14CF9AC884ADEBBF5FF48314F24816AE819AB210D775A945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0876DE7C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(?), ref: 0876FE8A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: *?q$*?q
                                                      • API String ID: 1029625771-1515704513
                                                      • Opcode ID: 42f8e13a141be0731cdf1319f3966e39e5ab1f0944c1d0307aa08fc3517746ea
                                                      • Instruction ID: 07e9c08c250315222ef272a647bb888d36ba30029eae5928fea641257bc0d844
                                                      • Opcode Fuzzy Hash: 42f8e13a141be0731cdf1319f3966e39e5ab1f0944c1d0307aa08fc3517746ea
                                                      • Instruction Fuzzy Hash: 6D3145B0D042498FDB14CFA9E48579EBFB1FB08324F14812EE815A7355DB749846CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0876FDB4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(?), ref: 0876FE8A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: *?q$*?q
                                                      • API String ID: 1029625771-1515704513
                                                      • Opcode ID: a0853ab751529e9d97fb81b2f6928c3a01b93691cc65444ded9f0f59b7f690c0
                                                      • Instruction ID: aa0920da72c7ffbd88d487c1adea0ec631a2635d95d88c002ebb22c31c4f5bdc
                                                      • Opcode Fuzzy Hash: a0853ab751529e9d97fb81b2f6928c3a01b93691cc65444ded9f0f59b7f690c0
                                                      • Instruction Fuzzy Hash: FE3112B4D002498FDB14CFA8E48579EBFB1FB08325F14812AE815A7295DB759886CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9C448, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID: *?q
                                                      • API String ID: 4139908857-1245351908
                                                      • Opcode ID: 4272924c40fce136cc7b21463b8720b45cea3f50735ebce6458627ecdaafdc43
                                                      • Instruction ID: ef1a401f6d20cfb2c36912e5b152713827893c022354b112eae4919c7e3f21cb
                                                      • Opcode Fuzzy Hash: 4272924c40fce136cc7b21463b8720b45cea3f50735ebce6458627ecdaafdc43
                                                      • Instruction Fuzzy Hash: 0C712270A00B058FDB64DF2AD19176ABBF1FF88314F10896AD48ADBB50D734E9458F91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 087675F8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08767690
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID: *?q
                                                      • API String ID: 3559483778-1245351908
                                                      • Opcode ID: ea460100bae63f26974626f8f05c148d99c97a479abf5c8c738f87d2be3401ce
                                                      • Instruction ID: b10d7863c17e2c2af04272423a10126187ced881098eee400ccfde49648eb2d6
                                                      • Opcode Fuzzy Hash: ea460100bae63f26974626f8f05c148d99c97a479abf5c8c738f87d2be3401ce
                                                      • Instruction Fuzzy Hash: B62169B19003099FCF10CFA9C884BDEBBF4FF48368F108529E929A7240D7789955CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08767600, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08767690
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID: *?q
                                                      • API String ID: 3559483778-1245351908
                                                      • Opcode ID: 15faee84d819cef65c62fb8505e1428252cabd2b8474a6642d5a5650fef5093d
                                                      • Instruction ID: c6ca175454a5053b5dde9e96d84e896caba7a08b04b15b14507a327a38905ff7
                                                      • Opcode Fuzzy Hash: 15faee84d819cef65c62fb8505e1428252cabd2b8474a6642d5a5650fef5093d
                                                      • Instruction Fuzzy Hash: 042119719003599FCF10CFAAC884BDEBBF5FF48364F108529E959A7240D7789954CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B97940, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B9790E,?,?,?,?,?), ref: 00B979CF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID: *?q
                                                      • API String ID: 3793708945-1245351908
                                                      • Opcode ID: 8fd4120e0d845412bc0d3890eeb9c118271d3a27ffef65ed3dd35da077ace12f
                                                      • Instruction ID: 77f3a3487f928cd3774d76b37011e560bdef619e7bedb344ffa2aaeedc2beda2
                                                      • Opcode Fuzzy Hash: 8fd4120e0d845412bc0d3890eeb9c118271d3a27ffef65ed3dd35da077ace12f
                                                      • Instruction Fuzzy Hash: 3921E6B5900208EFDB10CF9AD484BDEBBF8FB48324F14842AE955A7310D375A955CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B95864, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B9790E,?,?,?,?,?), ref: 00B979CF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID: *?q
                                                      • API String ID: 3793708945-1245351908
                                                      • Opcode ID: 435488745e9b8be195cb5280a56d1ea8fe50a0ff2d4eb65990f919f801e8ca02
                                                      • Instruction ID: 084ccd914eb417a06273824613b299400f38653683f9289bb8d5cccf24221653
                                                      • Opcode Fuzzy Hash: 435488745e9b8be195cb5280a56d1ea8fe50a0ff2d4eb65990f919f801e8ca02
                                                      • Instruction Fuzzy Hash: 7221E6B590420CAFDB10CF9AD884ADEBBF8FB48324F14806AE914B7310D374A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08767460, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 087674E6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID: *?q
                                                      • API String ID: 1591575202-1245351908
                                                      • Opcode ID: 1b42cf5080b6f37dbbb0a135b08f9d6ea9854275dfa3cc2cd4d408fa4dc11dbe
                                                      • Instruction ID: 2e980987a1e3b4e80dc87b45f4e5fb191a8bbc6d77960bb53eb5224ad0712ec8
                                                      • Opcode Fuzzy Hash: 1b42cf5080b6f37dbbb0a135b08f9d6ea9854275dfa3cc2cd4d408fa4dc11dbe
                                                      • Instruction Fuzzy Hash: 7B2138719042098FDB14DFAAC4847EEBFF4EF88268F14C429D969A7240DB789945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08767468, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 087674E6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID: *?q
                                                      • API String ID: 1591575202-1245351908
                                                      • Opcode ID: 82cf317574131099a2be0f5b7f49ef37a5b779d6a576e9934e1a52f3cd0f56d4
                                                      • Instruction ID: de0c91622782f242e244d7e1ba216fe9abce0063107dfd8af2d7c11114434e38
                                                      • Opcode Fuzzy Hash: 82cf317574131099a2be0f5b7f49ef37a5b779d6a576e9934e1a52f3cd0f56d4
                                                      • Instruction Fuzzy Hash: A82138719002098FCB10CFAAC4847EEBBF4EF88268F14C429D919A7240DB78A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 087676F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08767770
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID: *?q
                                                      • API String ID: 1726664587-1245351908
                                                      • Opcode ID: 51c999c56b6ce0c7b8312da3625408b275c1f186485146738d712f66edf49d79
                                                      • Instruction ID: 947d1b8ca01f0de907c4f04aa27884f88fa706e59b4298a907399af6318ce1e4
                                                      • Opcode Fuzzy Hash: 51c999c56b6ce0c7b8312da3625408b275c1f186485146738d712f66edf49d79
                                                      • Instruction Fuzzy Hash: 8C2128B18002499FCB10CFAAC884BDEFBF5FF48364F148429E919A7240D7749954CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 087676EE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08767770
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID: *?q
                                                      • API String ID: 1726664587-1245351908
                                                      • Opcode ID: dbca2d6b708b3a2de87ddbfaba09ef1ea5779624df30b7b4946a5ac387d884f5
                                                      • Instruction ID: 476bf596a09fa11a39b047184f3bba23fe33a4a261fa92f4694d312b6f8dcd9a
                                                      • Opcode Fuzzy Hash: dbca2d6b708b3a2de87ddbfaba09ef1ea5779624df30b7b4946a5ac387d884f5
                                                      • Instruction Fuzzy Hash: 172128B18012499FCB10CFAAC884BDEFBB5FF48364F148429E929A7240D7749955CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08767538, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 087675AE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID: *?q
                                                      • API String ID: 4275171209-1245351908
                                                      • Opcode ID: a49c8d3184334c9f64018adc1164715ef1b2d0b7a7cd1625e4f2bc741079c301
                                                      • Instruction ID: 797906c6b0489f0056230db00d27ac4b277ecd604c84a3cb6aaaf10a7a811c5b
                                                      • Opcode Fuzzy Hash: a49c8d3184334c9f64018adc1164715ef1b2d0b7a7cd1625e4f2bc741079c301
                                                      • Instruction Fuzzy Hash: E81156718002489FCB10CFAAC845BEEBBF5EF88328F10842AD929A7240C7759955CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9B970, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B9C709,00000800,00000000,00000000), ref: 00B9C91A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: *?q
                                                      • API String ID: 1029625771-1245351908
                                                      • Opcode ID: 0de134c1c8ae1d8d72e3ae51803a938cc6d67f789d239485b5ba9c5f5b37776a
                                                      • Instruction ID: c36bc9c8cd6365e58eb9f2686570d092ab3848a786d66200aa6a03ca4d25f6cc
                                                      • Opcode Fuzzy Hash: 0de134c1c8ae1d8d72e3ae51803a938cc6d67f789d239485b5ba9c5f5b37776a
                                                      • Instruction Fuzzy Hash: 151114B6D002089FDB10CF9AD484BEEFBF4EB88314F14846AD815B7200C375A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9C8A8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B9C709,00000800,00000000,00000000), ref: 00B9C91A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: *?q
                                                      • API String ID: 1029625771-1245351908
                                                      • Opcode ID: 2a302c55e655450ab1f2fbe2cf7cfda53efbe1b580280b00c9400d5d91613d13
                                                      • Instruction ID: ea26ae91610bbad20b23224bdc8c51369f10cc4ce14154ebf034de42e0ba66e4
                                                      • Opcode Fuzzy Hash: 2a302c55e655450ab1f2fbe2cf7cfda53efbe1b580280b00c9400d5d91613d13
                                                      • Instruction Fuzzy Hash: 1F11D0B69002498FDB10CF9AD488BDEFBF4EB88324F15846AD425A7600C375A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08767540, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 087675AE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID: *?q
                                                      • API String ID: 4275171209-1245351908
                                                      • Opcode ID: 5bed935a247275e71cb930eb7334e7e0dd9570e6f89fa162eeb38e6e818eba95
                                                      • Instruction ID: 23c57aff1dd6418dcc4131e7da091ad11f52a94dc16bf267dde505368026cd75
                                                      • Opcode Fuzzy Hash: 5bed935a247275e71cb930eb7334e7e0dd9570e6f89fa162eeb38e6e818eba95
                                                      • Instruction Fuzzy Hash: 831137719002489FCB10CFAAC844BDFBBF5EF88324F148429D915A7250C775A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 087673B1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID: *?q
                                                      • API String ID: 947044025-1245351908
                                                      • Opcode ID: 2482af1b43c106ebc0ef5596a1583fd5874d6e06503ac3effde174aea7b72a4c
                                                      • Instruction ID: b889db426913991552a90265ef4836ece74bd0c65592e953ed78370397e9cb62
                                                      • Opcode Fuzzy Hash: 2482af1b43c106ebc0ef5596a1583fd5874d6e06503ac3effde174aea7b72a4c
                                                      • Instruction Fuzzy Hash: 101155B19002488FDB14DFAAC4887EEFBF4AF88228F148429C529A7200C774A945CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9B91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00B9C45B), ref: 00B9C68E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID: *?q
                                                      • API String ID: 4139908857-1245351908
                                                      • Opcode ID: c7b6e454e83d93d55caa253fb8617656c2180b241f00d293dca16e4b144cf99c
                                                      • Instruction ID: b879c186e2a29149f2eed92cdd6d020c8118293975b3de041597c6fe1cc09682
                                                      • Opcode Fuzzy Hash: c7b6e454e83d93d55caa253fb8617656c2180b241f00d293dca16e4b144cf99c
                                                      • Instruction Fuzzy Hash: 2111F0B69002098FDB20CF9AC444BDEFBF4EB88324F10846AD819A7200D374A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 087673B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID: *?q
                                                      • API String ID: 947044025-1245351908
                                                      • Opcode ID: ebdc6180a9f2ea7457c8617c87a46ba1b72a97f41390abb6d8178456fc06e13f
                                                      • Instruction ID: d0fb021e075fb2b8956387b4162fd92b42f0065127a9fe75046199b97c26c632
                                                      • Opcode Fuzzy Hash: ebdc6180a9f2ea7457c8617c87a46ba1b72a97f41390abb6d8178456fc06e13f
                                                      • Instruction Fuzzy Hash: DD1136B19042488BCB14DFAAC8487EFFBF9AF88268F148429C519A7240C775A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 087427A8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 087474ED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID: *?q
                                                      • API String ID: 410705778-1245351908
                                                      • Opcode ID: 1b1642639e8b8cdd87d9c3bd528ba04dcb328c7679d273b6489ee834ed28e026
                                                      • Instruction ID: 359a416a661e227217727b63e21fdb41975526efc916e39027e8b2badd4982fe
                                                      • Opcode Fuzzy Hash: 1b1642639e8b8cdd87d9c3bd528ba04dcb328c7679d273b6489ee834ed28e026
                                                      • Instruction Fuzzy Hash: FC11B0B580024D9FDB20DF9AD488BEEBBF8EB48324F108459E915A7200D375A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08747489, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 087474ED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID: *?q
                                                      • API String ID: 410705778-1245351908
                                                      • Opcode ID: 1596d8bc615f09190f73ff37e2a121dd18def1379c6bda617527b52046977e7f
                                                      • Instruction ID: 6a4926376d1b383185873ce5be70297075372d8506004eef4d8eb8a5ab3460c1
                                                      • Opcode Fuzzy Hash: 1596d8bc615f09190f73ff37e2a121dd18def1379c6bda617527b52046977e7f
                                                      • Instruction Fuzzy Hash: 0611D0B58002498FDB20CF99D585BDEBBF8EB48324F14845AE555A7200D374A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B97A07, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B9790E,?,?,?,?,?), ref: 00B979CF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: bec095a5e690d273c8c2c6779acf221b48305c4e980f19b6bf0551b4bf6dfbbd
                                                      • Instruction ID: 4cf321805dabc2e5480a987fa366852eca88d7ea83303ce2df9d3fddcd3030e2
                                                      • Opcode Fuzzy Hash: bec095a5e690d273c8c2c6779acf221b48305c4e980f19b6bf0551b4bf6dfbbd
                                                      • Instruction Fuzzy Hash: E3415CB8A40740AFE7089F61E5587697BF6FB98315F50642BEA018B389CB785D01CF21
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 087403C8, Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: *?q$*?q
                                                      • API String ID: 0-1515704513
                                                      • Opcode ID: 4f330c717564cd39e31b6b485be30788964122280bcc072a3d804a700434411c
                                                      • Instruction ID: 80812d343a8af3d221958569c077334110eb0be3c2ce2a1f0f0db92646418132
                                                      • Opcode Fuzzy Hash: 4f330c717564cd39e31b6b485be30788964122280bcc072a3d804a700434411c
                                                      • Instruction Fuzzy Hash: 90916C70E00609CFDF50CFA9C884BDDBBF2AF89305F149129D915A7258DB349846CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B9CB30, Relevance: .5, Instructions: 524COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d7a13e2b7463c9f09f929e25ffc33b8cd228ef80435a9bff66745bd6881f6ad0
                                                      • Instruction ID: 2481d6ee2d3e9fc54c9ec5e6c41ff23642422f184701007283dec232443ff0e8
                                                      • Opcode Fuzzy Hash: d7a13e2b7463c9f09f929e25ffc33b8cd228ef80435a9bff66745bd6881f6ad0
                                                      • Instruction Fuzzy Hash: 51525BB1502706EFD720CF56E8C819D7BB1FB4031AF90426AD1615B690E3B86D8BDFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08748C60, Relevance: .4, Instructions: 356COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656284012.0000000008740000.00000040.00000001.sdmp, Offset: 08740000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d62af0854ff154588b3d9596d0c54a2930e9fa6a7f45441829b793166d8aa93
                                                      • Instruction ID: 325bc298cbb63a85514629117a8aae6e09b69cfa29cb9e9287412c8ca6266742
                                                      • Opcode Fuzzy Hash: 9d62af0854ff154588b3d9596d0c54a2930e9fa6a7f45441829b793166d8aa93
                                                      • Instruction Fuzzy Hash: 67D18A707006098FEB59EB75C450BAEB7F6AF89301F10447DD246DB2A5DB35E902CB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00B99964, Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.649606897.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa0259bbfaecd505865f159e5f293b85e71317185ec91c5d0d56a3dde15e20a5
                                                      • Instruction ID: be3975b801f3a61314f754f82341274201a8b1236e634132d6ec02af8e907d9d
                                                      • Opcode Fuzzy Hash: fa0259bbfaecd505865f159e5f293b85e71317185ec91c5d0d56a3dde15e20a5
                                                      • Instruction Fuzzy Hash: A1A18C36E006198FCF05DFA5D9849DDBBF6FF89300B1585BAE905AB221EB35AD05CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08760011, Relevance: .1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4a70ba3f2cd671543dc1ca7a23bcabc6034779d5da26775ac6697ba5930fce2
                                                      • Instruction ID: 9ac508c5bcfa538828df035fc94c971bc8cf3386d56301f60c25cbc0f517c167
                                                      • Opcode Fuzzy Hash: c4a70ba3f2cd671543dc1ca7a23bcabc6034779d5da26775ac6697ba5930fce2
                                                      • Instruction Fuzzy Hash: 3A51A071D056588FE71DCF6B8D4069AFBF3AFC9200F14C5BAC959AB219D73009868F15
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08760040, Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.656305977.0000000008760000.00000040.00000001.sdmp, Offset: 08760000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a219272e0324a84b3f0d91a261383f39ddcfc19669a96b5a19e2039c0333bdca
                                                      • Instruction ID: 9a44fa3d897a0251653146d883f7f7032ade708edff1c677ef89a4463cd42e97
                                                      • Opcode Fuzzy Hash: a219272e0324a84b3f0d91a261383f39ddcfc19669a96b5a19e2039c0333bdca
                                                      • Instruction Fuzzy Hash: 174162B1D056588BEB5CCF67CD4069EFAF7AFC9201F14C5B9C91DAB219DB7009818E14
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: Purchase List.exe PID: 5744 Parent PID: 7028 Purchase List.exeCOMMON

                                                      Executed Functions

                                                      Function 010A1790, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.900847013.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3ca78ba960cfb5c81c3a067d1ab01ef0266d819801602ec846535e2661b4e675
                                                      • Instruction ID: 58f91f0c46119b32539efe46fccb46be584d226fb6280454ec1f6971fc69e495
                                                      • Opcode Fuzzy Hash: 3ca78ba960cfb5c81c3a067d1ab01ef0266d819801602ec846535e2661b4e675
                                                      • Instruction Fuzzy Hash: F1614930E502099BDB14EFF5D8597AEBBF2BF84344F508928E446AB394DB74A845CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060E516C, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(00000000,00000000), ref: 060EB633
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: a148a30beb14a65fa06dd3bf7ca64d82f34f3a91f5e6f052a2b78d6908d1699c
                                                      • Instruction ID: 32b1a872f0013b529cdf94e67e28f3577aff88c9702bef285a097147bf8e1c68
                                                      • Opcode Fuzzy Hash: a148a30beb14a65fa06dd3bf7ca64d82f34f3a91f5e6f052a2b78d6908d1699c
                                                      • Instruction Fuzzy Hash: 2251F275E002288FDB58CFA9C994B9EBBF1BF48314F14812AE815BB350DB74A845CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC718, Relevance: 15.0, APIs: 7, Strings: 1, Instructions: 984libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID: x%l
                                                      • API String ID: 2434693497-3629625370
                                                      • Opcode ID: 6500b0894b0a7154d05462ae168e469093b8c5c0bc9eadb4d51f4860dd9f5f0b
                                                      • Instruction ID: 313d6c8a7888dfba22c65b48fe01871d698c58a28368012d678b6cc262731d23
                                                      • Opcode Fuzzy Hash: 6500b0894b0a7154d05462ae168e469093b8c5c0bc9eadb4d51f4860dd9f5f0b
                                                      • Instruction Fuzzy Hash: C2A208B4A40228CFCBA4EF30D85879DBBB6BF49205F5089E9D50AA3740DB359E95CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC739, Relevance: 9.6, APIs: 6, Instructions: 637libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 9ff8bb75b2946d6607d2fceca05b8009a4433338c84b0a670cfe3a20e3693c59
                                                      • Instruction ID: 29f9b43d78a3a6ec823175264e038bdbc1ff96d85110007d8c6d6fd53abf3687
                                                      • Opcode Fuzzy Hash: 9ff8bb75b2946d6607d2fceca05b8009a4433338c84b0a670cfe3a20e3693c59
                                                      • Instruction Fuzzy Hash: 666207B4940228CFCBA8DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC77E, Relevance: 9.6, APIs: 6, Instructions: 630libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 5664837777cd74a9717de42baf312acadf238f3ae28125ab166d5941a58917cf
                                                      • Instruction ID: e0e56e568a1d31fa1f9a1778501309db33dc1a5a07febcac868fef77ff62e028
                                                      • Opcode Fuzzy Hash: 5664837777cd74a9717de42baf312acadf238f3ae28125ab166d5941a58917cf
                                                      • Instruction Fuzzy Hash: 2B62F7B4941228CFCBA8DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC7C3, Relevance: 9.6, APIs: 6, Instructions: 623libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 4eba1027a1eb91d2f3598dea58ce779d79108a66bb424c25a77153460ccceb06
                                                      • Instruction ID: c2efb74af95ebfc3f641a9278982c42ee145bc6146b7bdd5eb4242df90eb1294
                                                      • Opcode Fuzzy Hash: 4eba1027a1eb91d2f3598dea58ce779d79108a66bb424c25a77153460ccceb06
                                                      • Instruction Fuzzy Hash: D85208B4A41228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC808, Relevance: 9.6, APIs: 6, Instructions: 614libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 7c05c415d33910f88d3451f84d165328dde8a8abc4585f01660681f16aa69849
                                                      • Instruction ID: 7cf14130705ce5fe91effe1e98b39598675dfd8cd5e7029b2e46df48c4cb1902
                                                      • Opcode Fuzzy Hash: 7c05c415d33910f88d3451f84d165328dde8a8abc4585f01660681f16aa69849
                                                      • Instruction Fuzzy Hash: C35208B4940228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC844, Relevance: 9.6, APIs: 6, Instructions: 609libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: c82e598231d257372c3f93ed0f0093e7f1d6d1853588706c7067154bad1206f3
                                                      • Instruction ID: 8d93ace6aec78c574cc934fb98bf487738469de754a0055d47ab774cbc9f4b9b
                                                      • Opcode Fuzzy Hash: c82e598231d257372c3f93ed0f0093e7f1d6d1853588706c7067154bad1206f3
                                                      • Instruction Fuzzy Hash: 7D5208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC889, Relevance: 9.6, APIs: 6, Instructions: 602libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: bac24aa10b30ce4610f487cfebc911acd1725bc07963aca1cc9e862348be13dc
                                                      • Instruction ID: 4817f0937cd2756a632b15c2b2af8604a981246c02e2674351b2f9e7c1d8d965
                                                      • Opcode Fuzzy Hash: bac24aa10b30ce4610f487cfebc911acd1725bc07963aca1cc9e862348be13dc
                                                      • Instruction Fuzzy Hash: 1952F8B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC8CE, Relevance: 9.6, APIs: 6, Instructions: 595libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: e44f4c88010ed3f10f24fb1c1579c84193989c7d49840e94cf2f19c5e60b1125
                                                      • Instruction ID: 13c9f7bc8f0b7a85d3d90db673a3098f0de4e67143b151f0fe50f81f1658c58b
                                                      • Opcode Fuzzy Hash: e44f4c88010ed3f10f24fb1c1579c84193989c7d49840e94cf2f19c5e60b1125
                                                      • Instruction Fuzzy Hash: 3A5208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC913, Relevance: 9.6, APIs: 6, Instructions: 588libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: c6803669fe0c5dc7927545055cbd8267bf1de86f266225d0f6ac54db5930eb9f
                                                      • Instruction ID: b909d1414b08e819343b47647308575a53a5c1f9daf84b0b3d6c1a080482ee7b
                                                      • Opcode Fuzzy Hash: c6803669fe0c5dc7927545055cbd8267bf1de86f266225d0f6ac54db5930eb9f
                                                      • Instruction Fuzzy Hash: AA5208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC958, Relevance: 9.6, APIs: 6, Instructions: 581libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 9ef5ec52daaf8b95caef24c4940e47c5a5b00d471ec09e4b05bd1ca70da03b81
                                                      • Instruction ID: ec84b81e5ea316f7b6764ce36af9f4a199154203adaefb939a103acbcea2b35d
                                                      • Opcode Fuzzy Hash: 9ef5ec52daaf8b95caef24c4940e47c5a5b00d471ec09e4b05bd1ca70da03b81
                                                      • Instruction Fuzzy Hash: B65208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC99D, Relevance: 9.6, APIs: 6, Instructions: 574libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 42779e99941e850cd31e08a2b636c4c396de7f095aae82f5ccb9cdfb07696c3e
                                                      • Instruction ID: d1a3aee5b8db2689924f3424237450ca7032bb64d049a56db716ae7787364370
                                                      • Opcode Fuzzy Hash: 42779e99941e850cd31e08a2b636c4c396de7f095aae82f5ccb9cdfb07696c3e
                                                      • Instruction Fuzzy Hash: F04208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EC9E2, Relevance: 9.6, APIs: 6, Instructions: 565libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: e2fed0f95b34d9dfabf1183de9b363753ef3f52817a865f7af70d6511a9d8b81
                                                      • Instruction ID: 6a61dcefc8f03ea4103c151eaa22a990a1cf355ac3d2ef4b6d2897207d6b7143
                                                      • Opcode Fuzzy Hash: e2fed0f95b34d9dfabf1183de9b363753ef3f52817a865f7af70d6511a9d8b81
                                                      • Instruction Fuzzy Hash: 0F4208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB359ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECA1E, Relevance: 9.6, APIs: 6, Instructions: 560libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 9f8423ed26ccda4f0e9555755677d19cfc4298ae11f278295bb61e094e9c46b3
                                                      • Instruction ID: 5603856c44cedce08c89b20496e58fb7030e15cb7cb21a23d9865ae19bd2238c
                                                      • Opcode Fuzzy Hash: 9f8423ed26ccda4f0e9555755677d19cfc4298ae11f278295bb61e094e9c46b3
                                                      • Instruction Fuzzy Hash: 364208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740CB349ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECA63, Relevance: 9.6, APIs: 6, Instructions: 551libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 5b059512c3e3b5fd466a0c466a4d6f6eb33c6ed54db2475d3edd52f866f10888
                                                      • Instruction ID: afb899d912c55a58ffda680e386e2e8ca2ca6abc919eb173e57b6425584b55d3
                                                      • Opcode Fuzzy Hash: 5b059512c3e3b5fd466a0c466a4d6f6eb33c6ed54db2475d3edd52f866f10888
                                                      • Instruction Fuzzy Hash: 6E4208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740DB349ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECA9F, Relevance: 9.5, APIs: 6, Instructions: 546libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 389a739ccbb6b90cce5a3f6f3b308f90f12c780c976eb74e40a04cc1635b728b
                                                      • Instruction ID: e8dbcba54960696c3341415bd663569e42e38809ac24846cf3a1d37058336385
                                                      • Opcode Fuzzy Hash: 389a739ccbb6b90cce5a3f6f3b308f90f12c780c976eb74e40a04cc1635b728b
                                                      • Instruction Fuzzy Hash: DF4208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740DB349ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECAE4, Relevance: 9.5, APIs: 6, Instructions: 539libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 66d3518bed61133f0b31ab070a27617993e114f45da59b7c250b7754abedcb82
                                                      • Instruction ID: 51156839dd843b750807ae40cfb53bea3f8378f6d0259417b620256aa9aeca2d
                                                      • Opcode Fuzzy Hash: 66d3518bed61133f0b31ab070a27617993e114f45da59b7c250b7754abedcb82
                                                      • Instruction Fuzzy Hash: 904208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740DB349ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECB29, Relevance: 9.5, APIs: 6, Instructions: 532libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ECB4D
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 2e2f6fe87e51e2b1b56874943b76703e0c66ce919a8d50028be5feaf3a0e628a
                                                      • Instruction ID: 2f241eb6b5f9241c27167b3b3675019f525c448b0942c1060dd7736cefbf9a64
                                                      • Opcode Fuzzy Hash: 2e2f6fe87e51e2b1b56874943b76703e0c66ce919a8d50028be5feaf3a0e628a
                                                      • Instruction Fuzzy Hash: 674208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740DB349ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECB6E, Relevance: 8.0, APIs: 5, Instructions: 525libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 1c3e1a93d16d75bb11770874713bc509cf10a26e87d9c3bea46ffa1baf7f49d0
                                                      • Instruction ID: 078fbba06e1a75d46e42502e4c0315b8d82561785e59a264a4975bbe47680acb
                                                      • Opcode Fuzzy Hash: 1c3e1a93d16d75bb11770874713bc509cf10a26e87d9c3bea46ffa1baf7f49d0
                                                      • Instruction Fuzzy Hash: DD3208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740DB349ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECBB3, Relevance: 8.0, APIs: 5, Instructions: 518libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: d8be9f87357c0b0e52ef8eeda7d08cc013416ad7cf80460f8773db99351e4632
                                                      • Instruction ID: b80d8bd2aee038bcd1b4b1b164197dfca68431c5489c2c96aefbc52eb9951653
                                                      • Opcode Fuzzy Hash: d8be9f87357c0b0e52ef8eeda7d08cc013416ad7cf80460f8773db99351e4632
                                                      • Instruction Fuzzy Hash: E23208B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740DB349ED5CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECBF8, Relevance: 8.0, APIs: 5, Instructions: 511libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: bdbf37b33409ea1ef07efa5e173ad6ab067e7a02e3b2efb6cafe3a21c121c33d
                                                      • Instruction ID: fdbdbc861db5c5175f132ca923296a2fcb79c04bc0a14d6181542b6d49079917
                                                      • Opcode Fuzzy Hash: bdbf37b33409ea1ef07efa5e173ad6ab067e7a02e3b2efb6cafe3a21c121c33d
                                                      • Instruction Fuzzy Hash: DB3209B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740DB349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECC3D, Relevance: 8.0, APIs: 5, Instructions: 504libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 3233f1211d0e4c6dd32c04a72d5885201ddbc6e2f41a166dd4136773a54a148b
                                                      • Instruction ID: 8053e14566dc91866c21cd0aa0c043088e9ad799529e54bff57de4824b9d4e29
                                                      • Opcode Fuzzy Hash: 3233f1211d0e4c6dd32c04a72d5885201ddbc6e2f41a166dd4136773a54a148b
                                                      • Instruction Fuzzy Hash: 5A3209B4A40228CFCBA4DF20D85879DBBB6BF49205F5085E9D60AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECC82, Relevance: 8.0, APIs: 5, Instructions: 497libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 5b64c9beeb01e63cb5727c9e3772c72de0db92ae7ae183df5585699a33bfd0bd
                                                      • Instruction ID: 13d2d46c3afa0cee83bbaba932cdb2309dc70f5ba15d156b5cf284c77dcb9409
                                                      • Opcode Fuzzy Hash: 5b64c9beeb01e63cb5727c9e3772c72de0db92ae7ae183df5585699a33bfd0bd
                                                      • Instruction Fuzzy Hash: 8C3209B4A80228CFCB64DF20D85879DBBB6BF49205F5085E9D60AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECCC7, Relevance: 8.0, APIs: 5, Instructions: 490libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: ef6d9d2b61b894f968c54238b957bf9f3f69e76cbb5722ff395fffb9feb46b80
                                                      • Instruction ID: 3eacbe27fb67f44e5a5c1ff3686373b6c93c1a384cc92819d72312484a398a45
                                                      • Opcode Fuzzy Hash: ef6d9d2b61b894f968c54238b957bf9f3f69e76cbb5722ff395fffb9feb46b80
                                                      • Instruction Fuzzy Hash: 0D32F9B4A80228CFCBA4DF20D85879DBBB6BF49205F5085E9D50AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECD0C, Relevance: 8.0, APIs: 5, Instructions: 483libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 420e7dd71a92ae0089deee811627bbc9e1fa5a2aa385a85e2600ade9584aee24
                                                      • Instruction ID: 30997396617882ba259a06c72fc57c22b049a68003cd177aec9b50f95c267053
                                                      • Opcode Fuzzy Hash: 420e7dd71a92ae0089deee811627bbc9e1fa5a2aa385a85e2600ade9584aee24
                                                      • Instruction Fuzzy Hash: 082209B4A80228CFCB64DF20D85879DBBB6BF89205F5085E9D50AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECD51, Relevance: 8.0, APIs: 5, Instructions: 476libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 87e4a20082a47b3596a3fc121e982852f1cfb5a3feca35ced2f72cd0f738a190
                                                      • Instruction ID: 61fd671247f288a4bac27e3a0897935b0625f2e7a6cf41d798984f38b4d06dff
                                                      • Opcode Fuzzy Hash: 87e4a20082a47b3596a3fc121e982852f1cfb5a3feca35ced2f72cd0f738a190
                                                      • Instruction Fuzzy Hash: C32209B4A80228CFCB64DF20D85879DBBB6BF89205F5085E9D50AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECD96, Relevance: 8.0, APIs: 5, Instructions: 469libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 8a6998e3ff007b40ee917a0b5d19ee4d8284f08bae34a3f780893ed7f914cf97
                                                      • Instruction ID: 589bed435a57ad4de2ecebb224a64660444f1213b5d7ba9b7d9d682e6d5d9dba
                                                      • Opcode Fuzzy Hash: 8a6998e3ff007b40ee917a0b5d19ee4d8284f08bae34a3f780893ed7f914cf97
                                                      • Instruction Fuzzy Hash: A92208B4A80228CFCB64DF20D85879DBBB6BF89205F5085E9D50AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECDDB, Relevance: 8.0, APIs: 5, Instructions: 462libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: aec0fe698c98faf22d102b18247efc8840ac345e8b130eee0abca14794df1311
                                                      • Instruction ID: 82da95c7cb414eeb546fdb8725f3e5fc2f310385bffc28e83a83261dcdc9c8ce
                                                      • Opcode Fuzzy Hash: aec0fe698c98faf22d102b18247efc8840ac345e8b130eee0abca14794df1311
                                                      • Instruction Fuzzy Hash: 0F2209B4A80228CFCB64DF20D85879DBBB6BF89205F5085E9D50AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECE23, Relevance: 8.0, APIs: 5, Instructions: 455libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 105d2d48640aba46765f3862d65d84d5032c95cf6739de3089788d9734c02c15
                                                      • Instruction ID: 12be4fb5e05cecc12d09ce1fccfc7d39b94ce3ae781be6d76467c629b5f2c0c1
                                                      • Opcode Fuzzy Hash: 105d2d48640aba46765f3862d65d84d5032c95cf6739de3089788d9734c02c15
                                                      • Instruction Fuzzy Hash: F92208B4A80228CFCB64DB20D85879DBBB6BF89205F5085E9D50AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECE6B, Relevance: 7.9, APIs: 5, Instructions: 448libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 8b86434af57a9d2e60b2a89722eea8027e547c6f36e791af17690d5e398a8920
                                                      • Instruction ID: 20b8fa28b0e36c430f751593a2b68641006a55b4eb2245cdd0d1914e2f8e87ea
                                                      • Opcode Fuzzy Hash: 8b86434af57a9d2e60b2a89722eea8027e547c6f36e791af17690d5e398a8920
                                                      • Instruction Fuzzy Hash: 472208B4E80228CFCB64DB20D85879DBBB6BF89205F5085E9D50AA3740DF349E95CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECEB3, Relevance: 7.9, APIs: 5, Instructions: 441libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 643ba9548cfd649d5e2741516e4060e330f023bee0c367529824124c49f64d53
                                                      • Instruction ID: 22dee07fbe944de0a536c8ca62c6f3728167b2fdeee83285b44ed88966ee2bd4
                                                      • Opcode Fuzzy Hash: 643ba9548cfd649d5e2741516e4060e330f023bee0c367529824124c49f64d53
                                                      • Instruction Fuzzy Hash: A51218B4E80228CFCB64DF20D85879DBBB6BF89205F5085E9D60AA3740DB349E95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECEFB, Relevance: 7.9, APIs: 5, Instructions: 434libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 359ff8f325afd5f14f880fbdb28dd9768fde7345815ccbd758eaff4a18278f2c
                                                      • Instruction ID: 71ba51474dfdcb615687cf48f0dc5e8b9873cb4bb1a956c284427a583f7cc5d1
                                                      • Opcode Fuzzy Hash: 359ff8f325afd5f14f880fbdb28dd9768fde7345815ccbd758eaff4a18278f2c
                                                      • Instruction Fuzzy Hash: 771217B4E802288FCB64DF20D85879DBBB6BF89205F5085E9D60AA3340DF349E95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECF43, Relevance: 7.9, APIs: 5, Instructions: 427libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 0b2996c4a95adba96680be7cbedc77e3c5b8a5f1e110267fce175400db406b9e
                                                      • Instruction ID: f2921497ece9085270ff419abd0d10ec79593078c69a7f5cf397769cd9d62dca
                                                      • Opcode Fuzzy Hash: 0b2996c4a95adba96680be7cbedc77e3c5b8a5f1e110267fce175400db406b9e
                                                      • Instruction Fuzzy Hash: 221218B4E802288FCB64DB60D85879DBBB6BF89205F5085E9D60AA3340DF349E95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECF8B, Relevance: 7.9, APIs: 5, Instructions: 420libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 54c402b01678d2db18b0cbfd4f509c3f58282832cf8ef8d74f580629c5407bec
                                                      • Instruction ID: 260261f571881fe466fa8938dd440b7761cf44e2097af51f8f8a663fc2dde86e
                                                      • Opcode Fuzzy Hash: 54c402b01678d2db18b0cbfd4f509c3f58282832cf8ef8d74f580629c5407bec
                                                      • Instruction Fuzzy Hash: 991218B4E80228CFCB64DB60D85879DBBB6BF89205F5085E9D60AA3340DF349E95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ECFD3, Relevance: 7.9, APIs: 5, Instructions: 413libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 0b4ec0e02e50334e4791dd581f4fb9e0f79b317207c585107e5cfca1373453bc
                                                      • Instruction ID: b63e801e376d69cb291985a292cf5aaa38e1561d026188ac2e47aaf7ce4c6895
                                                      • Opcode Fuzzy Hash: 0b4ec0e02e50334e4791dd581f4fb9e0f79b317207c585107e5cfca1373453bc
                                                      • Instruction Fuzzy Hash: 5C1219B4E80228CFCB64DB60D85879DBBB6BF89205F5089E9D60AA3340DF349D95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED01B, Relevance: 7.9, APIs: 5, Instructions: 406libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 09f3581c461e6472d3a9e240a122ab9a65ada45d9cb7b791998fd19f245a13bc
                                                      • Instruction ID: fdc3c274636dd8cb875e5d2012e8e7d77770f158fdd068bd1727cdde9b524148
                                                      • Opcode Fuzzy Hash: 09f3581c461e6472d3a9e240a122ab9a65ada45d9cb7b791998fd19f245a13bc
                                                      • Instruction Fuzzy Hash: F10219B4E40228CFCB64DB60D85879DBBB6BF89205F5089E9D60AA3340DF349D95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED063, Relevance: 7.9, APIs: 5, Instructions: 397libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 18bc0bbf8e4fab151e8a5c477e4f8abda42bf92d2e6076abc7bae7be33e7d095
                                                      • Instruction ID: 5f59aa33d0ee10656ed979372d6d3525552586da87ca5d406e2ac4962b5bee82
                                                      • Opcode Fuzzy Hash: 18bc0bbf8e4fab151e8a5c477e4f8abda42bf92d2e6076abc7bae7be33e7d095
                                                      • Instruction Fuzzy Hash: B80219B4E80228CFCB64EB60D85879DBBB6BF89205F5089E9D50AA3340DF349D95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED09F, Relevance: 7.9, APIs: 5, Instructions: 392libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED0C6
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionUser$ColorCreateDataDesktopEffectHandleInitializeMagnificationThunk
                                                      • String ID:
                                                      • API String ID: 2434693497-0
                                                      • Opcode ID: 2e4bb884bd0f422a6f9e345e17f6eedbadd5023367163957cb628b61157fda41
                                                      • Instruction ID: b45e492f21313bfe2bfbf763b0da6472a6686ecb097da9191d7b19e9d8f622c6
                                                      • Opcode Fuzzy Hash: 2e4bb884bd0f422a6f9e345e17f6eedbadd5023367163957cb628b61157fda41
                                                      • Instruction Fuzzy Hash: 020219B4E80228CFCBA4DB60D85879DBBB6BF89205F5089E9D50AA3340DF349D95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED0FD, Relevance: 6.4, APIs: 4, Instructions: 381libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DdeCreateDataHandle.USER32 ref: 060ED124
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: ColorCreateDataDesktopDispatcherEffectExceptionHandleInitializeMagnificationThunkUser
                                                      • String ID:
                                                      • API String ID: 3106685788-0
                                                      • Opcode ID: 64f72df481ce69bb0c598c074a40e2209e9d5d492612b67c5459ee1731a30afa
                                                      • Instruction ID: 097368bec81d1738cc090a8f0b293a52ac8acc7bffe7960061ceb1d8ed4440f4
                                                      • Opcode Fuzzy Hash: 64f72df481ce69bb0c598c074a40e2209e9d5d492612b67c5459ee1731a30afa
                                                      • Instruction Fuzzy Hash: 8D0218B4E802288FCB64EB70D85879DBBB6BF89205F5089E9D50A93340DF349E95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E66B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 02E66BB0
                                                      • GetCurrentThread.KERNEL32 ref: 02E66BED
                                                      • GetCurrentProcess.KERNEL32 ref: 02E66C2A
                                                      • GetCurrentThreadId.KERNEL32 ref: 02E66C83
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: a265d147496dbe53dd36383f09944cf77e880c46e2f14bfacaa7d4e915963562
                                                      • Instruction ID: 52239efd7c23c1bf371c45b2ac0d399eba8f121702cb4decd94ddc35bed71452
                                                      • Opcode Fuzzy Hash: a265d147496dbe53dd36383f09944cf77e880c46e2f14bfacaa7d4e915963562
                                                      • Instruction Fuzzy Hash: E35113B09107498FDB14CFAAD688BEEBBF5EB88318F208459E419A7350D7746844CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED145, Relevance: 4.9, APIs: 3, Instructions: 374libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: ColorDesktopDispatcherEffectExceptionInitializeMagnificationThunkUser
                                                      • String ID:
                                                      • API String ID: 1317424944-0
                                                      • Opcode ID: 215bf5fbf5b60ba3eba620492f17bb9bdadfe2a099ccd5c6b720976b23ff95eb
                                                      • Instruction ID: a6e09980442272b177d22fab7f58b9a2e6a9b7846e29546673c6ccf85581f9b9
                                                      • Opcode Fuzzy Hash: 215bf5fbf5b60ba3eba620492f17bb9bdadfe2a099ccd5c6b720976b23ff95eb
                                                      • Instruction Fuzzy Hash: 14F117B4E802288FCB64EB70D85879DBBB6BF89205F5089E9D50A93340DF349E95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED18D, Relevance: 4.9, APIs: 3, Instructions: 365libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: ColorDesktopDispatcherEffectExceptionInitializeMagnificationThunkUser
                                                      • String ID:
                                                      • API String ID: 1317424944-0
                                                      • Opcode ID: f26ff8d1463fac52316a0d0712a889f1563eb831d5999fe77fd6698cd76af54f
                                                      • Instruction ID: 49439304027b3e972a1d74abbb1c7b2e0da5a4b4cee9063cabc6aa61c165fbe5
                                                      • Opcode Fuzzy Hash: f26ff8d1463fac52316a0d0712a889f1563eb831d5999fe77fd6698cd76af54f
                                                      • Instruction Fuzzy Hash: 5AF116B4E802288FCB64EB60D85879DBBB6BF89205F5089E9D50AD3340DF349E95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED1C9, Relevance: 4.9, APIs: 3, Instructions: 360libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: ColorDesktopDispatcherEffectExceptionInitializeMagnificationThunkUser
                                                      • String ID:
                                                      • API String ID: 1317424944-0
                                                      • Opcode ID: 901c801023f2b4148c666718ba8f438b881b1d046983f8d52b1d8f5401b850a0
                                                      • Instruction ID: ea0f68853a558b5df43bfc410a64b096f98f7ee8169196f705e86574a4d26204
                                                      • Opcode Fuzzy Hash: 901c801023f2b4148c666718ba8f438b881b1d046983f8d52b1d8f5401b850a0
                                                      • Instruction Fuzzy Hash: 8CF116B4E802288FCB64EB60D85879DBBB6BF89205F5089E9D50AD3340DF349E95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED227, Relevance: 4.8, APIs: 3, Instructions: 349libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMagnificationDesktopColorEffect.USER32 ref: 060ED24E
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: ColorDesktopDispatcherEffectExceptionInitializeMagnificationThunkUser
                                                      • String ID:
                                                      • API String ID: 1317424944-0
                                                      • Opcode ID: 4e7226c8cac7f595998166e78ee851981e37cc92655e74cdd07cac2e3971883a
                                                      • Instruction ID: fee5907ae86a7f0bc6ed3e0a0c1627654aac6a256466a5aa4d9f645453e7dce7
                                                      • Opcode Fuzzy Hash: 4e7226c8cac7f595998166e78ee851981e37cc92655e74cdd07cac2e3971883a
                                                      • Instruction Fuzzy Hash: DCE11770E802288FCB64EB60D8587ADBBB6BF89205F5089E9D50AD3740DF349D95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EF350, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 353COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongPtrA.USER32(00000001,?,00000000,00000000,?,00000000), ref: 060EF57D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID: \%l
                                                      • API String ID: 1378638983-1147860794
                                                      • Opcode ID: f21963621f4d01f55ef1ba65b1ca6e233bddb9d9e9e3ea3ac6b27ef993c91cf6
                                                      • Instruction ID: e49abf98524f89febb3232926f85f2f6f69cf3096a21fedfef7868743144d299
                                                      • Opcode Fuzzy Hash: f21963621f4d01f55ef1ba65b1ca6e233bddb9d9e9e3ea3ac6b27ef993c91cf6
                                                      • Instruction Fuzzy Hash: 7DD16B74F502158FDB94DBA8C594BBEBBF2EB89310F148069E906EB390DB74DC418B51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EF340, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 342COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \%l
                                                      • API String ID: 0-1147860794
                                                      • Opcode ID: 2cf5366d541889a7531b3abb011850826f82152b88e1f553beb1486f2eb97164
                                                      • Instruction ID: ac64bf44cf1037f483dafd723258ccaaf47602b71f0abb128c6c2e1fb5a487fa
                                                      • Opcode Fuzzy Hash: 2cf5366d541889a7531b3abb011850826f82152b88e1f553beb1486f2eb97164
                                                      • Instruction Fuzzy Hash: 82C15C74E502168FDB94DBA8C594B7EBBF2EF89310F15846AE806EB390DB34DC418B51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED26F, Relevance: 3.3, APIs: 2, Instructions: 342libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionInitializeThunkUser
                                                      • String ID:
                                                      • API String ID: 243558500-0
                                                      • Opcode ID: 6e2ff145fafbd97ad29664c91fd62c9d1dee41456cebdeecad628a09fc15bf99
                                                      • Instruction ID: ccf5ebdd14c5cd174eae6aa745fa99124108fa26d6156ea2887524cb2ae85697
                                                      • Opcode Fuzzy Hash: 6e2ff145fafbd97ad29664c91fd62c9d1dee41456cebdeecad628a09fc15bf99
                                                      • Instruction Fuzzy Hash: 56E11770E802288FCB64EB60D85879DBBB6BF88205F5089E9D50AD3740DF349D95CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED2B7, Relevance: 3.3, APIs: 2, Instructions: 335libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionInitializeThunkUser
                                                      • String ID:
                                                      • API String ID: 243558500-0
                                                      • Opcode ID: ba13e095e617831f32c7c4f33960aa052ac5b0cfea7856c58570e9892ccd83fc
                                                      • Instruction ID: 2ce792c4a036de4c89217de9cfb264c5647d7882a7b48a3b6cafdd99084d767d
                                                      • Opcode Fuzzy Hash: ba13e095e617831f32c7c4f33960aa052ac5b0cfea7856c58570e9892ccd83fc
                                                      • Instruction Fuzzy Hash: C8E11770E802288FCB64EB64D8587ADBBB6BF88205F5089E9D50AD3740DF349E95CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED2FF, Relevance: 3.3, APIs: 2, Instructions: 326libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrInitializeThunk.NTDLL ref: 060ED445
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: DispatcherExceptionInitializeThunkUser
                                                      • String ID:
                                                      • API String ID: 243558500-0
                                                      • Opcode ID: 98b350dc4be1a77f39793633a42a4803b19b77797d2ad6b0c6dfed5b27abd81e
                                                      • Instruction ID: ae8d68d2b8bff844dfabe1d56030a703dc8a31e12a044c550758a9170d1e77fa
                                                      • Opcode Fuzzy Hash: 98b350dc4be1a77f39793633a42a4803b19b77797d2ad6b0c6dfed5b27abd81e
                                                      • Instruction Fuzzy Hash: EAE11874E802288FCB64EB64D8587ADBBB6BF88205F5089E9D50AD3780DF349D95CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 010A5EB8, Relevance: 1.8, APIs: 1, Instructions: 318COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.900847013.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 735ab821f921ad4bb660485107271a1ffa75b21b6b2d8d292fd2b4f62896be17
                                                      • Instruction ID: 7fe13c41b7f1497a5560230a720ada4864d6ebcb1cca43b58966cf36ecb3899e
                                                      • Opcode Fuzzy Hash: 735ab821f921ad4bb660485107271a1ffa75b21b6b2d8d292fd2b4f62896be17
                                                      • Instruction Fuzzy Hash: 82B1F334B483458FD7059BB8D8183AE7BF2AF85204F1985BAD545CB792EF35DC0A8B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E63E58, Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02E64216
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: b631b7f3aff784b4b09d1833fa02c9d9c939c1759246ad27fe5b5e67a7278112
                                                      • Instruction ID: bb62be9e80550fa037d6255be4ef8d95d6824c59162ba9c9278501bf8149688c
                                                      • Opcode Fuzzy Hash: b631b7f3aff784b4b09d1833fa02c9d9c939c1759246ad27fe5b5e67a7278112
                                                      • Instruction Fuzzy Hash: 7AB18D74A407058FCB18EF69C48466EBBF6FF88358B10C92DD90ADB750DB34E8058B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED7A6, Relevance: 1.7, APIs: 1, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      • CharToOemW.USER32(00000000,00000000), ref: 060EDC15
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: CharDispatcherExceptionUser
                                                      • String ID:
                                                      • API String ID: 3077673714-0
                                                      • Opcode ID: c2d4cca79a63529932ad6b8a509bd2bd0590dfde56a38f8d6462188c26977914
                                                      • Instruction ID: 7dc33aa07d01f1ebb853432f130299a730f577e1af29b0b5c23668466229ae73
                                                      • Opcode Fuzzy Hash: c2d4cca79a63529932ad6b8a509bd2bd0590dfde56a38f8d6462188c26977914
                                                      • Instruction Fuzzy Hash: E3513EB1A802298FCB64DB34C8587ADBBB6BF88205F5485E9D50AD3780DF349D85CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED7EE, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      • CharToOemW.USER32(00000000,00000000), ref: 060EDC15
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: CharDispatcherExceptionUser
                                                      • String ID:
                                                      • API String ID: 3077673714-0
                                                      • Opcode ID: 97ebfcad620dee52315c4fb399485e2ab4f6e5c0d670633f854319cfe73bd6e3
                                                      • Instruction ID: aa16855b5060e1b51717a43aa104f009d1f1c15ffdf128c172e2150fc5ea9aaf
                                                      • Opcode Fuzzy Hash: 97ebfcad620dee52315c4fb399485e2ab4f6e5c0d670633f854319cfe73bd6e3
                                                      • Instruction Fuzzy Hash: 96513D71A802298FCB64DB24C8587ADBBB6BF88205F5085E8D50AD3780DF389D85CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E65130, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 948605ebd5d517805fdb28ad32e43a8cd8db10e07fd449c344963d30d08ccc89
                                                      • Instruction ID: b8c220fa8d16521f2cd5a659579dee02deeb6c0595074c841ef979a7ebd3af82
                                                      • Opcode Fuzzy Hash: 948605ebd5d517805fdb28ad32e43a8cd8db10e07fd449c344963d30d08ccc89
                                                      • Instruction Fuzzy Hash: 035112B1D40249AFDF15CFA9C884ADEBFB1FF48354F24816AE818AB220D7719855CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060ED82A, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserExceptionDispatcher.NTDLL ref: 060ED851
                                                      • CharToOemW.USER32(00000000,00000000), ref: 060EDC15
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: CharDispatcherExceptionUser
                                                      • String ID:
                                                      • API String ID: 3077673714-0
                                                      • Opcode ID: b2b6fdcad556adcc67cde8b815899cbe77194596544692674ea9f3aa1d571844
                                                      • Instruction ID: f81d89aea67ec22d3dd518286d3380693c7d59c2e541b67b4660c3b709e16602
                                                      • Opcode Fuzzy Hash: b2b6fdcad556adcc67cde8b815899cbe77194596544692674ea9f3aa1d571844
                                                      • Instruction Fuzzy Hash: C5514DB1E802298FCB64DB24C9587ADBAF6BF88205F5485E8D50AD3780DF389D85CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060EB4EC, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(00000000,00000000), ref: 060EB633
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: d74b44281b64b084e5ccdb092a65fc12dfee3e7b5888aefc190c6d44b855c58d
                                                      • Instruction ID: 72d5aeecdb8983a31e8f14c8f3e0f5af8f6e05689c7661d4f038cfe7429a7fc2
                                                      • Opcode Fuzzy Hash: d74b44281b64b084e5ccdb092a65fc12dfee3e7b5888aefc190c6d44b855c58d
                                                      • Instruction Fuzzy Hash: DB510071E002288FDB58CFA9C985B9EBBF1BF48314F14852AE815BB351D778A844CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 060E929C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(00000000,00000000), ref: 060EB633
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.904924225.00000000060E0000.00000040.00000001.sdmp, Offset: 060E0000, based on PE: false
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: c8727f0fd46b39f46f9f9fce305a95323fd8e2d5ca6c3a7fa92e9c6a3dbf1c68
                                                      • Instruction ID: a15359f28f979327fb825c976019b193ca1f00f6b40a8c4fe7cd065114899de2
                                                      • Opcode Fuzzy Hash: c8727f0fd46b39f46f9f9fce305a95323fd8e2d5ca6c3a7fa92e9c6a3dbf1c68
                                                      • Instruction Fuzzy Hash: 5B51F175E002288FDB58CFA9C994B9EBBF1BF48314F14812AE815BB391D774A844CF95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E65190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E652A2
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: a197b2164a3ff364ab8b3eb880a3a9846df5a03b8c4a08cb63d4143a1b7a93f8
                                                      • Instruction ID: e0800079d34c4196711e93f1dc49914fadff16aa5e2b7cde72998e2023b4e39f
                                                      • Opcode Fuzzy Hash: a197b2164a3ff364ab8b3eb880a3a9846df5a03b8c4a08cb63d4143a1b7a93f8
                                                      • Instruction Fuzzy Hash: 6841DDB1D403089FDF14CF99C884ADEFBB5BF88354F64812AE819AB210D770A885CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E66964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 02E67D01
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: 180f22c1edf0525089050f108aa2b76beedfd7c8abb494314446d6ebf1b19535
                                                      • Instruction ID: 0df02375d4d4a1d4d3f564eaee42351b89e9c4e6cf265e32ca8491ab544bbc49
                                                      • Opcode Fuzzy Hash: 180f22c1edf0525089050f108aa2b76beedfd7c8abb494314446d6ebf1b19535
                                                      • Instruction Fuzzy Hash: 20412AB9940209CFDB14CF59C488AAAFBF5FB89318F14C459E519AB361D734A841CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 010A1732, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.900847013.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 39c9eaa68548d31c9ba5929f180243d63605934dfc536c71762e407207212c07
                                                      • Instruction ID: d29bd0ac4babb86e8697d6da0fe5d1fa8f02830b532c84a9f9423d0b6c6ca171
                                                      • Opcode Fuzzy Hash: 39c9eaa68548d31c9ba5929f180243d63605934dfc536c71762e407207212c07
                                                      • Instruction Fuzzy Hash: EC31AB30A05348CFDB06DFA8D458BAD7BB2BF46304F5585A9E045AB3A1D739984ACB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E6C3B9, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEncodePointer.NTDLL(00000000), ref: 02E6C442
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: EncodePointer
                                                      • String ID:
                                                      • API String ID: 2118026453-0
                                                      • Opcode ID: d6f50134d8ada3bbf496da56aab032619b53d205b0035edef7589d2977e58c64
                                                      • Instruction ID: 01a007743187da38591e8c9ecdbd69bde483cf554478ca203782a1b1a568d846
                                                      • Opcode Fuzzy Hash: d6f50134d8ada3bbf496da56aab032619b53d205b0035edef7589d2977e58c64
                                                      • Instruction Fuzzy Hash: CA3127708453898FDB10DFA8D90D3BEBFF5EB06358F14946AE484AB642C7795405CFA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E66D72, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E66DFF
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: d21eef0fb4a2200abb6b841f357d47092aa9698dada4cc662cebb23673e29388
                                                      • Instruction ID: 4ed319011b5ff176b4af590ef7b6c485271c5702a51a63575f2993eca359c657
                                                      • Opcode Fuzzy Hash: d21eef0fb4a2200abb6b841f357d47092aa9698dada4cc662cebb23673e29388
                                                      • Instruction Fuzzy Hash: 2A21E4B59002099FDB10CFA9D884AEEFBF8FB48324F14801AE914A3310D379A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E66D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E66DFF
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 7901b92860c9cad2a1d23e3915485a7afe68a04cc75d4f9fade2c36dacd6e73f
                                                      • Instruction ID: 1880946b0a447c6ead576cd31a7b724e0f10d667d32cd7a0eae9fc23e09c5233
                                                      • Opcode Fuzzy Hash: 7901b92860c9cad2a1d23e3915485a7afe68a04cc75d4f9fade2c36dacd6e73f
                                                      • Instruction Fuzzy Hash: CF21D5B5D002489FDB10CF99D584ADEFBF8FB48324F14841AE914A7310D379A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06CEA664, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,06CEB961,00000800), ref: 06CEB9F2
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.905752130.0000000006CE0000.00000040.00000001.sdmp, Offset: 06CE0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 6b56d3f74575d0f618c8b3ca1d316fceefeafc959da6416aff9215e6d62faa23
                                                      • Instruction ID: 12df78115109f7151fb4c25c25e6d49bd915f6db70a114c24639dd7c910db938
                                                      • Opcode Fuzzy Hash: 6b56d3f74575d0f618c8b3ca1d316fceefeafc959da6416aff9215e6d62faa23
                                                      • Instruction Fuzzy Hash: 0F1114B6D002498FDB10CF9AD484AEEFBF4EB98324F00842EE415A7200C375A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E6C3C8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEncodePointer.NTDLL(00000000), ref: 02E6C442
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: EncodePointer
                                                      • String ID:
                                                      • API String ID: 2118026453-0
                                                      • Opcode ID: 23561bf989e4cce22e7f267e8b238ddaf54e510c61c9f22751460ab5c3a96bf7
                                                      • Instruction ID: 6c705b040ebb4d07f8cce5bcdf031fe5bf0bca76df6122b92035343ead84cef1
                                                      • Opcode Fuzzy Hash: 23561bf989e4cce22e7f267e8b238ddaf54e510c61c9f22751460ab5c3a96bf7
                                                      • Instruction Fuzzy Hash: 45119A709403098FCF10DFA9D94C7AEBBF8EB49368F20942AD544A7A40D779A844CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E64180, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02E64216
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: fee7c86620f40302930a11db01731174ce753a0f03e86013b73b06ab1b928cba
                                                      • Instruction ID: 383d49397e6fc69295e0fbed71c8f9b39e7c842c07c98acb74e93011552af9c2
                                                      • Opcode Fuzzy Hash: fee7c86620f40302930a11db01731174ce753a0f03e86013b73b06ab1b928cba
                                                      • Instruction Fuzzy Hash: 6D2133B6D406488FDB24CF8AC44879EFBF1EF88318F24C56AC428A7210D335A146CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E62F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02E64216
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 29685a811a7ae938c486ae5d67ded7cf5e7e3dce7bea9d35a820f01087b77604
                                                      • Instruction ID: dac475e6853dcabe4aa477a93bef87f44695bd425d579e552b6677231a77c9f4
                                                      • Opcode Fuzzy Hash: 29685a811a7ae938c486ae5d67ded7cf5e7e3dce7bea9d35a820f01087b77604
                                                      • Instruction Fuzzy Hash: 881104B5D402498FDB20CF9AD448BDEFBF4EB89254F10C46AD829B7640D374A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02E641AA, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02E64216
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901595280.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 5b2c212f31e60798d7b45354e02517335331cbe7508c512cde3fa5386500a8f6
                                                      • Instruction ID: 761bd396ee842d9cd5d9bc52e4ea9de9a1068c3d4960df95f1b759648181316b
                                                      • Opcode Fuzzy Hash: 5b2c212f31e60798d7b45354e02517335331cbe7508c512cde3fa5386500a8f6
                                                      • Instruction Fuzzy Hash: C21102B6C402498FCB24CF9AD488BDEFBF4EB88228F15C41AD429B7640C374A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06CEE550, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 06CEF4A5
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.905752130.0000000006CE0000.00000040.00000001.sdmp, Offset: 06CE0000, based on PE: false
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID:
                                                      • API String ID: 2538663250-0
                                                      • Opcode ID: 0e303b7256b3015753d5d6cefd13f7ebda469f057c073287e2d439f858ac36ac
                                                      • Instruction ID: 336a45651524cbdd8b29f9d5a5a64fbbeade9fc6b742167210e48cc7deea9e8d
                                                      • Opcode Fuzzy Hash: 0e303b7256b3015753d5d6cefd13f7ebda469f057c073287e2d439f858ac36ac
                                                      • Instruction Fuzzy Hash: C71145B19002488FCB20CF9AD488BDEFBF8EB48324F10841ED528B3200D374A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C1D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901431930.0000000002C1D000.00000040.00000001.sdmp, Offset: 02C1D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2b63a3746ebc609c943392dc56ec6a5662503719dc489946208f0bf20513381
                                                      • Instruction ID: 92c8bcdc9fd9a11f6eecc07cd18151b5533d3eaf3d8f3f0f95f34b327a9a1797
                                                      • Opcode Fuzzy Hash: f2b63a3746ebc609c943392dc56ec6a5662503719dc489946208f0bf20513381
                                                      • Instruction Fuzzy Hash: 7A2137B5504204EFDB14CF10D9C0B16BBA5FB85314F20C5ADD80A4B346C33AD847DBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C1D005, Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.901431930.0000000002C1D000.00000040.00000001.sdmp, Offset: 02C1D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c241dcfc9bb986b4a4671d2cfdf0acde02c70ad359d419d15a8be99dbeda9b98
                                                      • Instruction ID: 3f13eae801e249c17c31cfeff1236941bb6063dda809ace5f87f396e29dc9dd1
                                                      • Opcode Fuzzy Hash: c241dcfc9bb986b4a4671d2cfdf0acde02c70ad359d419d15a8be99dbeda9b98
                                                      • Instruction Fuzzy Hash: 7C2192755093C08FCB12CF24D594715BF71EB86214F28C5DAD8498B697C33AD84BDBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions